Oh.... I'm just wondering who's seen this stumper...

---

• From: "Joe_SMS" <jw_nagy@xxxxxxxxxxx>
• Date: 26 Jul 2006 17:34:32 -0700

---

Some developer running some code to update user attributes via LDAP in
AD (win2k3), He needed rights to 25 attributes, none mandatory. While
testing with "write all properties" permissions on the user objects, he
can write to those 25 everytime he claims and no failure audits back
that up.

But, when I cut the perms back to limit him to just those 25, his code
fails and he has no error checking (don't ask), and all he gets is
"insufficient rights". When I check the security logs, there is a
failure audit 566 for write properties on the user for the attributes
that he actually has permissions to write to.

I can take LDP and using the same account as he, update all 25 at the
same time without a hitch and get a success audit for write properties
with the same account on the same DC FOR THE SAME ATTRIBUTES HES
GETTING THE FAILURE AUDITS FOR. His code syncs attributes from an
authoritative database.

If someone could tell me how this is even possible, that would help.
At no time when I see his failure audits are there any extra attributes
that he's trying to write to outside the 25. He does of course, have
read access to all attributes.

Any clue at all would be much help. How can you get a failure audit
for writing to an attribute with an account that has write permissions
to that attribute ? Then when I use the same account, I successfully
write to the same attribute.

I'm 19 years in IT... so i've already checked 99% of what you're
thinking. :) who got that 1% ?



Thx in advance.

.

---

• Follow-Ups:
  • Re: Oh.... I'm just wondering who's seen this stumper...
    • From: Joe Richards [MVP]

• Prev by Date: Re: Get a list of all AD OU's, groups and user accounts
• Next by Date: Re: Exchange Email address not Being created in AD
• Previous by thread: Re: Get a list of all AD OU's, groups and user accounts
• Next by thread: Re: Oh.... I'm just wondering who's seen this stumper...
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Oh.... Im just wondering whos seen this stumper... ... in AD that don't match the database. ... problem should be in the extended error info that is returned. ... I can take LDP and using the same account as he, ... GETTING THE FAILURE AUDITS FOR. ... (microsoft.public.windows.server.active_directory) Re: Oh.... Im just wondering whos seen this stumper... ... in AD that don't match the database. ... problem should be in the extended error info that is returned. ... I can take LDP and using the same account as he, ... GETTING THE FAILURE AUDITS FOR. ... (microsoft.public.windows.server.active_directory) Re: Oh.... Im just wondering whos seen this stumper... ... Get a network trace of the update, the info needed to troubleshoot the problem should be in the extended error info that is returned. ... I can take LDP and using the same account as he, ... GETTING THE FAILURE AUDITS FOR. ... (microsoft.public.windows.server.active_directory) Re: Oh.... Im just wondering whos seen this stumper... ... I should have reiterated that when I bump the account's permissions to ... problem should be in the extended error info that is returned. ... I can take LDP and using the same account as he, ... GETTING THE FAILURE AUDITS FOR. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)