Restrict Active Directory LDAP "bind" to specific accounts

Copper Contributor

We have On-prem Active Directory, users and applications are authenticated by AD to access network resources.

Please advise if there is a way to secure or delegate AD LDAP "bind" only to admins or specific service accounts. Currently anyone with valid credentials can "bind" Active Directory and traverse through OUs and see all AD information, is it possible to limit it to only Administrators and service accounts and have LDAP Kerberos authentication in service. thank you!

2 Replies
Hello,
This is by design - Active Directory is a directory, not a secured vault.
You can always restrict read/browse rights by applying a delegation model (updating OU ACL, updating access rights...), but the more you restrict it, the more technical issues and management complexity you'll get.

@Alban1998 thank you for reply, I thought so too, just wanted to double-check with experts. And LDAP binding, when used for application to authenticate users, there is no such permission in AD correct?