Query Active Directory under NT AUTHORITY/NETWORK SERVICE

3
votes

I have a Windows Service running under the NETWORK SERVICE account and have a need to query Active Directory for extended information about users.

It looks like in this situation there are access restrictions that prevent the service from accessing Active Directory. And the service has to be run as NETWORK SERVICE, not domain user.

So far I'm passing credentials (login and password) of a domain user to DirectorySearcher. Credentials are retrieved from config file, which is, of course, not good.

Is there another more elegant way to query Active Directory from service running under the NETWORK SERVICE?

2
.netactive-directory
When you say "It looks like... there are access restrictions", do you mean you know there are or it's not working so you assume there are? I ask because this should work. Is there a firewall getting in the way?SGarratt
It's not working for me, so my assumption is that there is something getting in the way. I do not think it is firewall issue, because when I specify domain account to access AD it works.Dima Malenko

2 Answers

6
votes

Unless your domain administrator bans this deliberately, Active Directory by default allows any computer accounts to run LDAP query.

So, if your computer has joined to the domain, using NT AUTHORITY\Network Service account should just work.

Alternatively, you can set the domain user as the service account. Then, you don't need to pass in any username or password into DirectorySearcher

1
votes

You can give the computer account (COMPUTERNAME$) read permissions in Active Directory but as @Harvery Kwok said it should have this by default (if the computer is a domain member).