Our company is trying to implement a few single sign-on applications using Active Directory (Windows Server 2003) and LDAP. I would like to lock down the account used to make these LDAP queries as much as possible. What is the best practice for configuring this type of account?
You can restrict/allow what a user can or see/query within AD by easily using the Delegation Wizard. You can access the Delegation Wizard easily by right-clicking on an OU, and the selecting Delegation Control. You als may want to take a look at these articles:
Default security concerns in Active Directory delegation
Best practices for delegating Active Directory administration: Case study: a delegation scenario