[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.0

Confusing results with AD LDAP query and the modifyTimeStamp attribute

Asked by iistech in Lightweight Directory Access Protocol (LDAP), Active Directory, Windows 2003 Server

Tags: AD, active directory, ldap, query, modifyTimeStamp, missing

I see other AD-related questions here, so here's mine, and I'll try to succinctly detail the issue:

I am using both DSQUERY and LDP for doing queries against a Windows 2003 domain that is NOT in native 2003 mode yet. (There are still a few 2000 DC's.)

I am searching for an account that was definitely changed since 2001, and the GUI confirms this.

In the query, I have to use the modifyTimeStamp. (To save on unneccessary responses, I must use that attribute, and, yes, I know there are others that I can use, but this is an application limitation.) I am also aware that to read the modifyTimeStamp value, more permissions are required. We've created a special group that has read-only access to modifyTimeStamp and createdTimeStamp.

1) I have a query like
  "(& (objectclass=user) (|(modifyTimestamp>=20010128130028.0Z)) (objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.804:=2))  )"
2)  I am only looking for the attributes "cn,adminCount,modifyTimeStamp".
3) Yes, I know that modifyTimeStamp is special and requires rights to view it.
4) I expect to get a particular user that doesn't show up in the results.
5) I am binding with a "generic" user account which has the additional rights, being the member of a special group, to read the modifyTimeStamp attribute.
6) In the original results in step 1, I am getting results with the modifyTimeStamp, but it seems to be missing accounts.
7) to be more exact and limit the search, I changed the query to:
  "(& (objectclass=user) (objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.804:=2)) (|(cn=Divyah Smith) (cn=Kondal Smith))  ) "
8) Step 7 results in three objects, including the two expected users and the attribute data is correctly displayed. The modifyTimeStamp value is being displayed for each object.
9) I changed the query to:
 " (& (objectclass=user) (modifyTimestamp>=20090126120027.0Z) (objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.804:=2)) (|(cn=Divyah Smith) (cn=Kondal Smith))  ) "
10) The query in step 9 only results in one object!!

So, with these steps, I have shown:
1) The binding account can definitely read the modifyTimeStamp for some user objects.
2) There are user objects that are NOT displayed when modifyTimeStamp is part of the query.

My question is this: is there some ADDITIONAL security needed for other underlying attributes in AD in order to use the modifyTimeStamp in an LDAP query in AD?

Ultimately, I need to be able to allow this particular user account the rights to be able to use the modifyTimeStamp and createdTimeStamp in a query and get the attributes in the results. I can do the "black box" approach by making it a Domain Admin, but that sucks.

-- Rob -- 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:

***Searching...
ldap_search_s(ld, "DC=mydom,DC=net", 2, "(& (objectclass=user) (modifyTimestamp>=20090126120027.0Z) (objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.804:=2)) (|(cn=Divyah Smith) (cn=Kondal Smith))  ) ", attrList,  0, &msg)
Result <0>: (null)
Matched DNs: 
Getting 1 entries:
>> Dn: CN=Kondal Smith,OU=AsiaPac,OU=Users,OU=Corp,DC=mydom,DC=net
	1> adminCount: 1; 
	1> modifyTimeStamp: 01/28/2009 13:34:10 Pacific Standard Time Pacific Daylight Time; 
-----------
***Searching...
ldap_search_s(ld, "DC=mydom,DC=net", 2, "(& (objectclass=user) (objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.804:=2)) (|(cn=Divyah Smith) (cn=Kondal Smith))  ) ", attrList,  0, &msg)
Result <0>: (null)
Matched DNs: 
Getting 3 entries:
>> Dn: CN=Divyah Smith,OU=AsiaPac,OU=Users,OU=Eng,DC=mydom,DC=net
	1> modifyTimeStamp: 01/26/2009 19:52:05 Pacific Standard Time Pacific Daylight Time; 
>> Dn: CN=Kondal Smith,OU=AsiaPac,OU=Users,OU=Corp,DC=mydom,DC=net
	1> adminCount: 1; 
	1> modifyTimeStamp: 01/28/2009 13:34:10 Pacific Standard Time Pacific Daylight Time; 
>> Dn: CN=Kondal Smith,OU=AsiaPac,OU=Users,OU=Eng,DC=mydom,DC=net
	1> modifyTimeStamp: 01/28/2009 14:22:10 Pacific Standard Time Pacific Daylight Time; 
-----------
[+][-]01/30/09 03:36 PM, ID: 23514132Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Lightweight Directory Access Protocol (LDAP), Active Directory, Windows 2003 Server
Tags: AD, active directory, ldap, query, modifyTimeStamp, missing
Sign Up Now!
Solution Provided By: iistech
Participating Experts: 1
Solution Grade: A
 
[+][-]01/29/09 05:18 PM, ID: 23504464Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/30/09 11:53 AM, ID: 23512175Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]01/30/09 11:53 AM, ID: 23512179Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]01/30/09 12:53 PM, ID: 23512837Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02/04/09 01:50 AM, ID: 23546295Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/13/09 10:11 AM, ID: 23881502Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625