LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Installing LDAP-UX Client Services
Configuring Active Directory for HP-UX Integration
Chapter 2 27
CAUTION Make sure the proxy user is a member of the Domain Users group, which
allows read access only, and not the Administrator group to protect
Active Directory entries from malicious modifications.
A proxy user’s access right to objects in an Active Directory depends on
what default permissions Active Directory has been configured with
during installation. The two possible permission options are:
• Installation with "Permissions Compatible with Pre-Windows 2000
Servers"
This permission option allows any authenticated user read access to
all attributes, including POSIX attributes. This means, that any user
can be configured as a proxy user. For security reasons, this may not
be your best choice.
• Installation with "Windows 2000 Compatible Access"
This option allows authenticated users read rights to all properties of
their own objects, but limited access to attributes of other objects.
Because a proxy user must be able to read all users' and groups'
POSIX attributes, the administrator should specifically extend the
access capabilities for proxy users using one of the following
alternatives:
— Configure the proxy user to be a member of "Pre-Windows 2000
Compatible Access" group. By doing this, you allow the proxy
user to read all properties of user and group objects. Here is how
to configure it:
1. Start Active Directory Users and Computers,
2. From the domain tree, click Builtin.
3. Double-click Pre-Windows 2000 Compatible Access, and
select the Members tab.
4. Click Add, from a list of all users and groups, select the user
name which you want to configure as a proxy user, then click
Add.
5. Click OK to save the configuration.