Article ID: 976063 - View products that this article applies to.
When you run a Lightweight Directory Access Protocol (LDAP) request against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list in the response.
Note You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.
The user account that you use to run the LDAP query has the following properties:
This issue occurs because the Admin Approval Mode (AAM) feature is enabled for the user account in Windows Vista and in Windows Server 2008. It is also known as "User Account Control" (UAC). For local resource access, the security system has a loopback code so it uses the active Access Token from the interactive logon session for the LDAP session and the access checks during the LDAP query processing.
For more information about the AAM feature, visit the following Microsoft TechNet Web site:
To work around this issue, use one of the following methods.
Method 2Specify the No prompt value for the following security setting:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeFor more information about how to specify the value of this security setting, visit the following Microsoft TechNet Web site:
By default, the AAM feature is disabled for the built-in administrator account in Windows Vista and in Windows Server 2008. Additionally, the AAM feature is enabled for other accounts that are members of the built-in Administrators group.
To verify this, run the following command in a Command Prompt window.
If the AAM feature is enabled for the user account, the output resembles the following.
The built-in Administrators group has the following attribute:
The "Domain Admins" group is shown as enabled group with "Mandatory group, Enabled by default, Enabled group" in whoami /all, but really is disabled for Allow ACEs. This is a known problem in Windows Server 2008 and R2.
Based on this output, the user account that you used to run the LDAP query has the AAM feature enabled. When you run the LDAP query, you use a filtered access token instead of a full access token. Even if full control permission for the Administrators group is granted to the user object, you still do not have full control permission. Therefore, you obtain only a partial attribute list.
Article ID: 976063 - Last Review: July 17, 2012 - Revision: 3.0