Solved

Active directory permissions problem - "insufficient access"

Posted on 2007-03-28
4
2,240 Views
Last Modified: 2013-12-24
I've written a PHP app to update users in Active Directory using the LDAP protocol. The updates are then visible in the Outlook Address Book.

An addressbookadmin group has been set up in AD with permissions to edit various fields. Users in this group authenticate against AD using the PHP app and thereafter can make changes to the fields they have permissions for.  

I'm stuck trying to get write permissions for a particular field......
In Outlook Address Book there is a Phone/Notes tab. In that tab there is a Notes field. This corresponds to the Notes property in ADUC and to the info attribute in LDAP. I've assigned the addressbookadmin group Read/Write permissions for that field using ADUC.

I've followed the instructions in this article: http://redmondmag.com/columns/article.asp?EditorialsID=617
to set the permissions.

Every attempt to write to the field via the php app (authenticated as member of addressbookadmin group) results in an "insufficient access" error. I enabled write permissions on the photo and physicaldeliveryofficelocation properties in the same manner and the php app updates these ok.

Any ideas?

Any way to check the AD logs to see if these can shed some light on the problem?

Thanks,
Eoin
0
Comment
Question by:eoinmccarthy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Expert Comment

by:ihuckaby
ID: 18812599
Off the top of my head, have you tried allowing universal priveleges (Everyone, Full Control) temporarily?  I have found "insufficient access" frequently means, "I can't find that thing, so you must not have access."

AD doesn't always play by the expected LDAP rules, and I find I frequently have to tweak my strings differently than I would have expected.
0
 

Author Comment

by:eoinmccarthy
ID: 18822453
Got it working. The ldap-ADUC-OAB mappings are correct. However, the way we set the permissions was causing the problem. Originally they were set using the Advanced security settings tabs. Used the "Delegate Control" wizard and it worked just fine. Don't ask me why - AD access control is definitely not my area.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21198113
PAQed with points refunded (125)

Computer101
EE Admin
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question