Note You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.
The user account that you use to run the LDAP query has the following properties:
- The account is a member of the built-in Administrators group.
- The account is not the built-in administrator account.
- The account is a member of the Domain Admins group.
- The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
- The effective permissions of the object that you query against shows that the user has full control permission.
For more information about the AAM feature, visit the following Microsoft TechNet Web site:
- Use the Run as administrator option to open a Command Prompt window.
- Run the LDAP query in the Command Prompt window.
Method 2Specify the No prompt value for the following security setting:
- Create a new group in the domain.
- Add the Domain Admins group to this new group.
- Grant the Read permission on the domain partition to this new group. To do this, follow these steps:
- Click Start, click Run, type adsiedit.msc, and then click OK.
- In the ADSI Edit window, right-click DC=<Name>,DC=com, and then click Properties.
- In the Properties window, click the Security tab.
- On the Security tab, click Add.
- Under Enter the object names to select, type the name of the new group, and then click OK.
- Make sure that the group is selected under Group or user names, click to select Allow for the Read permission, and then click OK.
- Close the ADSI Edit window.
- Run the LDAP query again.
To verify this, run the following command in a Command Prompt window.
User Name SID
Group Name Type SID Attributes
============================================= ================ ================================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
Group used for deny only
Based on this output, the user account that you used to run the LDAP query has the AAM feature enabled. When you run the LDAP query, you use a filtered access token instead of a full access token. Even if full control permission for the Administrators group is granted to the user object, you still do not have full control permission. Therefore, you obtain only a partial attribute list.
Article ID: 976063 - Last Review: Jul 17, 2012 - Revision: 1