[Samba] Normal users do not see memberOf and userAccountControl LDAP attributes

Rowland Penny rpenny at samba.org
Mon Nov 14 19:08:59 UTC 2022

On 14/11/2022 18:21, shacky via samba wrote:
> Hi,
> I am connecting an application to Samba using a "service" account
> (basically an Active Directory "normal" user account).

What application ?

> I realised that to have access to some attributes of all users (for example
> "memberOf" and "userAccountControl") 

You do not actually set or read 'memberof', you add/remove the 'member' 
attribute from the users AD object and then magically 'memberof' appears 
(or disappears) in the groups AD object.

Do you really want a normal user to be able to change their 
userAccountControl attribute ?

> this user should be part of the Domain
> Admin group, else it has access only to all its own attributes, and it
> shows only a partial sets of attributes for every other users.
> I think this is a normal security approach, but I don't want to use a
> Domain Admin account for applications.
> For this reason I am wondering which permissions I should give to these
> service user to access to all other users LDAP attributes.

Absolutely none that they do not already have, the permissions are set 
as they are for a reason, mainly security.


More information about the samba mailing list