Windows 2008R2 blocks outbound LDAP for non-admins?

Posted by Jon Bailey on Server Fault See other posts from Server Fault or by Jon Bailey
Published on 2011-07-24T21:27:33Z Indexed on 2012/10/12 3:39 UTC
Read the original article Hit count: 341

I've got a Windows 2008R2 terminal server with ~30 users on it. It's joined to a Samba-based domain. During the login script, we connect directly to the LDAP server to pull out certain profile information. This used to work just fine. Now, it doesn't, but only for non-local-admin accounts. Local admins work fine.

As a non-local-admin:

  • Connection to ports 389 or 636 just terminate (wireshark on the LDAP server reveals no connection attempt)
  • Connection to other ports on the same server work fine
  • Same thing on multiple LDAP servers
  • Windows firewall is disabled
  • Can't find any other rules/policies that may block this

I suspect since this used to work, it came down during an update, but for the life of me, I can't find what.

EDIT: I just ran Wireshark on the machine and didn't see anything when connecting to the LDAP server in question (or any LDAP server for that matter).

I can, however, see traffic when I connect to that server on another port.

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about ldap