Re: memberOF AD lookup Problem

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: "Ken Aldrich" <supportw@xxxxxxxxxxxxxxx>
Date: Wed, 15 Aug 2007 17:09:11 -0500

Sounds like a permissions problem. Did someone place a deny permission
somewhere for memberOf? You could use a 3rd party tool such as DSRAZOR for
Windows to scan for such permissions.

Look at the permissions for user objects that are denying access and see if
anything is denying or not inheriting properly. This is done in the security
tab of an object in AD. You could also try to explicitly apply read/write
permissions to the memberOf attribute as a test.

To do this:
right click on an OU or if you want to localize the test, right click on a
specific user. Go to properties, security tab, advanced, click on a Trustee
(user or group - group is preferred), press edit, go to properties tab,
change the dropdown to "User objects" or "Computer objects" or whatever
makes sense for your goals, scroll down and place a check mark in the "Read
Member Of" and "Write Member Of" boxes. Click OK through the dialogues.
Now try testing with the user. Can they modify group membership.

FYI because the way group membership is handled, you should not need to give
any extra permissions to the group objects themselves. The backlinking is
handled by the system.
Source: WindowsITpro, August 07, pg 45-48

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Joseph Vito Bacino" <someemail@xxxxxxxxxxxxxx> wrote in message
news:%23OKF5323HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx

First if this is the wrong group for this question, i am sorry.

We have some 3rd party apps that read AD for group membership of users.

Every thing was working find, then it just stopped.

I will explain some more.

The apps were setup to look at AD with a normal user account. (was orking)
Now, the only way to get this account to see memberOF is to make the
lookup user an AD admin.

Test1:

if i use an LDAP browser to test i get this..
normal user rights:
I can look at all other objects in AD, but no memberOF

Test2:
If i make this user an admin,
i can see memberOF.

What is even more strange is that this is happening on a few different
locations with different AD/domains.

These servers are a mixture of SBS2003 sp1/r2/sp2

am i missing something?

Thanks for you help

References:
- memberOF AD lookup Problem
  - From: Joseph Vito Bacino

Prev by Date: Re: Site registration Question
Next by Date: Re: Help changing an fRSMemberReference attribute
Previous by thread: memberOF AD lookup Problem
Next by thread: Re: memberOF AD lookup Problem
Index(es):
- Date
- Thread

Relevant Pages

Re: Some user attributes not visible unless attaching to AD as a domain admin
... I didn't realise that there were leaf level permissions on ... For the benefit of anyone readiong this in future, IBM WebSphere 5.x ... needs to be able to read the memberOf attribute on a user account to ... in the WebSphere configuration or IBM's documentation on the subject, ...
(microsoft.public.windows.server.active_directory)
Re: General questions about LDAP, GC and access permissions
... using Windows Communicaiton Foundation, ... is that we get a combination of all permissions that may be directly assigned ... users and groups and assigning various permissions to those. ... calculate a user's group membership in the user's logon token. ...
(microsoft.public.windows.server.active_directory)
Re: Delegation of groups admin. - restricted to a subset of object
... The memberOf is a backlink and hence a reflection of its forward link - member, you can set any permissions on memberOf that you want and they will do absolutely nothing about being able to modify the member attribute because you don't directly do anything with the memberOf attribute at all. ... >> only if i have the rights to change the group memberof of ... "if you are delegated the right to manage group membership, you are delegated the right to make EVERY SECURITY PRINCIPAL a member of that group" only if i have the rights to change the group memberof of that security principal - and in the case of that i don't have rights on others OU so i cant add in my group the other workstation from the others OU's and if in my ou i have delegate only to computers to write memeberof i can add only workstations from that ou. ...
(microsoft.public.windows.server.active_directory)
Re: Logon Script Question
... The best way to do the first thing you're after is using "memberof" from ... If you're running Windows 2003 Service Pack 1, ... Like a directory might have payroll info and a ... generic company division directory and the generic division users would ...
(microsoft.public.windows.server.setup)
Re: Add memberOf to Global Catalog
... attributeSchema definitions to calculate the memberOf attribute on the user. ... Forward-link and back-link pairs are identified by their linkID property ... the application should connect to Global Catalog. ... it's a Windows 2000 Native implementation. ...
(microsoft.public.win2000.active_directory)