Active directory permissions problem - "insufficient access"

I've written a PHP app to update users in Active Directory using the LDAP protocol. The updates are then visible in the Outlook Address Book.

An addressbookadmin group has been set up in AD with permissions to edit various fields. Users in this group authenticate against AD using the PHP app and thereafter can make changes to the fields they have permissions for.  

I'm stuck trying to get write permissions for a particular field......
In Outlook Address Book there is a Phone/Notes tab. In that tab there is a Notes field. This corresponds to the Notes property in ADUC and to the info attribute in LDAP. I've assigned the addressbookadmin group Read/Write permissions for that field using ADUC.

I've followed the instructions in this article: http://redmondmag.com/columns/article.asp?EditorialsID=617
to set the permissions.

Every attempt to write to the field via the php app (authenticated as member of addressbookadmin group) results in an "insufficient access" error. I enabled write permissions on the photo and physicaldeliveryofficelocation properties in the same manner and the php app updates these ok.

Any ideas?

Any way to check the AD logs to see if these can shed some light on the problem?

Thanks,
Eoin
eoinmccarthyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ihuckabyCommented:
Off the top of my head, have you tried allowing universal priveleges (Everyone, Full Control) temporarily?  I have found "insufficient access" frequently means, "I can't find that thing, so you must not have access."

AD doesn't always play by the expected LDAP rules, and I find I frequently have to tweak my strings differently than I would have expected.
0
eoinmccarthyAuthor Commented:
Got it working. The ldap-ADUC-OAB mappings are correct. However, the way we set the permissions was causing the problem. Originally they were set using the Advanced security settings tabs. Used the "Delegate Control" wizard and it worked just fine. Don't ask me why - AD access control is definitely not my area.
0
Computer101Commented:
PAQed with points refunded (125)

Computer101
EE Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.