Solved

Active directory permissions problem - "insufficient access"

Posted on 2007-03-28
4
2,179 Views
Last Modified: 2013-12-24
I've written a PHP app to update users in Active Directory using the LDAP protocol. The updates are then visible in the Outlook Address Book.

An addressbookadmin group has been set up in AD with permissions to edit various fields. Users in this group authenticate against AD using the PHP app and thereafter can make changes to the fields they have permissions for.  

I'm stuck trying to get write permissions for a particular field......
In Outlook Address Book there is a Phone/Notes tab. In that tab there is a Notes field. This corresponds to the Notes property in ADUC and to the info attribute in LDAP. I've assigned the addressbookadmin group Read/Write permissions for that field using ADUC.

I've followed the instructions in this article: http://redmondmag.com/columns/article.asp?EditorialsID=617
to set the permissions.

Every attempt to write to the field via the php app (authenticated as member of addressbookadmin group) results in an "insufficient access" error. I enabled write permissions on the photo and physicaldeliveryofficelocation properties in the same manner and the php app updates these ok.

Any ideas?

Any way to check the AD logs to see if these can shed some light on the problem?

Thanks,
Eoin
0
Comment
Question by:eoinmccarthy
4 Comments
 
LVL 2

Expert Comment

by:ihuckaby
ID: 18812599
Off the top of my head, have you tried allowing universal priveleges (Everyone, Full Control) temporarily?  I have found "insufficient access" frequently means, "I can't find that thing, so you must not have access."

AD doesn't always play by the expected LDAP rules, and I find I frequently have to tweak my strings differently than I would have expected.
0
 

Author Comment

by:eoinmccarthy
ID: 18822453
Got it working. The ldap-ADUC-OAB mappings are correct. However, the way we set the permissions was causing the problem. Originally they were set using the Advanced security settings tabs. Used the "Delegate Control" wizard and it worked just fine. Don't ask me why - AD access control is definitely not my area.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21198113
PAQed with points refunded (125)

Computer101
EE Admin
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now