Solved

Active directory permissions problem - "insufficient access"

Posted on 2007-03-28
4
2,194 Views
Last Modified: 2013-12-24
I've written a PHP app to update users in Active Directory using the LDAP protocol. The updates are then visible in the Outlook Address Book.

An addressbookadmin group has been set up in AD with permissions to edit various fields. Users in this group authenticate against AD using the PHP app and thereafter can make changes to the fields they have permissions for.  

I'm stuck trying to get write permissions for a particular field......
In Outlook Address Book there is a Phone/Notes tab. In that tab there is a Notes field. This corresponds to the Notes property in ADUC and to the info attribute in LDAP. I've assigned the addressbookadmin group Read/Write permissions for that field using ADUC.

I've followed the instructions in this article: http://redmondmag.com/columns/article.asp?EditorialsID=617
to set the permissions.

Every attempt to write to the field via the php app (authenticated as member of addressbookadmin group) results in an "insufficient access" error. I enabled write permissions on the photo and physicaldeliveryofficelocation properties in the same manner and the php app updates these ok.

Any ideas?

Any way to check the AD logs to see if these can shed some light on the problem?

Thanks,
Eoin
0
Comment
Question by:eoinmccarthy
4 Comments
 
LVL 2

Expert Comment

by:ihuckaby
ID: 18812599
Off the top of my head, have you tried allowing universal priveleges (Everyone, Full Control) temporarily?  I have found "insufficient access" frequently means, "I can't find that thing, so you must not have access."

AD doesn't always play by the expected LDAP rules, and I find I frequently have to tweak my strings differently than I would have expected.
0
 

Author Comment

by:eoinmccarthy
ID: 18822453
Got it working. The ldap-ADUC-OAB mappings are correct. However, the way we set the permissions was causing the problem. Originally they were set using the Advanced security settings tabs. Used the "Delegate Control" wizard and it worked just fine. Don't ask me why - AD access control is definitely not my area.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21198113
PAQed with points refunded (125)

Computer101
EE Admin
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question