When you run a Lightweight Directory Access Protocol (LDAP) request against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list in the response.
Note You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.
The user account that you use to run the LDAP query has the following properties:
The account is a member of the built-in Administrators group.
The account is not the built-in administrator account.
The account is a member of the Domain Admins group.
The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
The effective permissions of the object that you query against shows that the user has full control permission.
This issue occurs because the Admin Approval Mode (AAM) feature is enabled for the user account in Windows Vista and in Windows Server 2008. It is also known as "User Account Control" (UAC). For local resource access, the security system has a loopback code so it uses the active Access Token from the interactive logon session for the LDAP session and the access checks during the LDAP query processing.
For more information about the AAM feature, visit the following Microsoft TechNet Web site:
Grant the Read permission on the domain partition to this new group. To do this, follow these steps:
Click Start, click Run, type adsiedit.msc, and then click OK.
In the ADSI Edit window, right-click DC=<Name>,DC=com, and then click Properties.
In the Properties window, click the Security tab.
On the Security tab, click Add.
Under Enter the object names to select, type the name of the new group, and then click OK.
Make sure that the group is selected under Group or user names, click to select Allow for the Read permission, and then click OK.
Close the ADSI Edit window.
Run the LDAP query again.
This behavior is by design.
By default, the AAM feature is disabled for the built-in administrator account in Windows Vista and in Windows Server 2008. Additionally, the AAM feature is enabled for other accounts that are members of the built-in Administrators group.
To verify this, run the following command in a Command Prompt window.
If the AAM feature is enabled for the user account, the output resembles the following.
USER INFORMATION----------------User Name SID ============== ==============================================MyDomain\MyUser S-1-5-21-2146773085-903363285-719344707-326360GROUP INFORMATION-----------------Group Name Type SID Attributes ============================================= ================ ================================================= ===============================================================Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
The built-in Administrators group has the following attribute:
Group used for deny only
The "Domain Admins" group is shown as enabled group with "Mandatory group, Enabled by default, Enabled group" in whoami /all, but really is disabled for Allow ACEs. This is a known problem in Windows Server 2008 and R2.
Based on this output, the user account that you used to run the LDAP query has the AAM feature enabled. When you run the LDAP query, you use a filtered access token instead of a full access token. Even if full control permission for the Administrators group is granted to the user object, you still do not have full control permission. Therefore, you obtain only a partial attribute list.
Windows Server 2008 Datacenter, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Vista Enterprise, Windows Vista Business, Windows Vista Business 64-bit Edition, Windows Vista Ultimate, Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise