When you run an LDAP query against a Windows Server 2008-based domain controller, you obtain a partial attribute list

Article ID: 976063 - View products that this article applies to.
Expand all | Collapse all

On This Page

Symptoms

When you run a Lightweight Directory Access Protocol (LDAP) request against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list in the response.

Note You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.

The user account that you use to run the LDAP query has the following properties:
  • The account is a member of the built-in Administrators group.
  • The account is not the built-in administrator account.
  • The account is a member of the Domain Admins group.
  • The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
  • The effective permissions of the object that you query against shows that the user has full control permission.
Back to the top | Give Feedback

Cause

This issue occurs because the Admin Approval Mode (AAM) feature is enabled for the user account in Windows Vista and in Windows Server 2008. It is also known as "User Account Control" (UAC). For local resource access, the security system has a loopback code so it uses the active Access Token from the interactive logon session for the LDAP session and the access checks during the LDAP query processing.

For more information about the AAM feature, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx
(http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx)
Back to the top | Give Feedback

Workaround

To work around this issue, use one of the following methods.

Method 1

  1. Use the Run as administrator option to open a Command Prompt window.
  2. Run the LDAP query in the Command Prompt window.

Method 2

Specify the No prompt value for the following security setting:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
For more information about how to specify the value of this security setting, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx
(http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx)

Method 3

  1. Create a new group in the domain.
  2. Add the Domain Admins group to this new group.
  3. Grant the Read permission on the domain partition to this new group. To do this, follow these steps:
    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the ADSI Edit window, right-click DC=<Name>,DC=com, and then click Properties.
    3. In the Properties window, click the Security tab.
    4. On the Security tab, click Add.
    5. Under Enter the object names to select, type the name of the new group, and then click OK.
    6. Make sure that the group is selected under Group or user names, click to select Allow for the Read permission, and then click OK.
    7. Close the ADSI Edit window.
  4. Run the LDAP query again.
Back to the top | Give Feedback

Status

This behavior is by design.
Back to the top | Give Feedback

More information

By default, the AAM feature is disabled for the built-in administrator account in Windows Vista and in Windows Server 2008. Additionally, the AAM feature is enabled for other accounts that are members of the built-in Administrators group.

To verify this, run the following command in a Command Prompt window.
whoami /all
If the AAM feature is enabled for the user account, the output resembles the following.
USER INFORMATION
----------------

User Name      SID                                           
============== ==============================================
MyDomain\MyUser S-1-5-21-2146773085-903363285-719344707-326360


GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                               Attributes                                                     
============================================= ================ ================================================= ===============================================================
Everyone                                      Well-known group S-1-1-0                                           Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                        Alias            S-1-5-32-544                                      Group used for deny only
The built-in Administrators group has the following attribute:
Group used for deny only
The "Domain Admins" group is shown as enabled group with "Mandatory group, Enabled by default, Enabled group" in whoami /all, but really is disabled for Allow ACEs. This is a known problem in Windows Server 2008 and R2.

Based on this output, the user account that you used to run the LDAP query has the AAM feature enabled. When you run the LDAP query, you use a filtered access token instead of a full access token. Even if full control permission for the Administrators group is granted to the user object, you still do not have full control permission. Therefore, you obtain only a partial attribute list.
Back to the top | Give Feedback

Properties

Article ID: 976063 - Last Review: July 17, 2012 - Revision: 3.0
Applies to
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Vista Enterprise
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Ultimate
  • Windows 7 Professional
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
Keywords: 
kbsurveynew kbprb kbexpertiseadvanced kbtshoot KB976063
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top