Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active directory permissions problem - "insufficient access"

Posted on 2007-03-28
4
Medium Priority
?
2,270 Views
Last Modified: 2013-12-24
I've written a PHP app to update users in Active Directory using the LDAP protocol. The updates are then visible in the Outlook Address Book.

An addressbookadmin group has been set up in AD with permissions to edit various fields. Users in this group authenticate against AD using the PHP app and thereafter can make changes to the fields they have permissions for.  

I'm stuck trying to get write permissions for a particular field......
In Outlook Address Book there is a Phone/Notes tab. In that tab there is a Notes field. This corresponds to the Notes property in ADUC and to the info attribute in LDAP. I've assigned the addressbookadmin group Read/Write permissions for that field using ADUC.

I've followed the instructions in this article: http://redmondmag.com/columns/article.asp?EditorialsID=617
to set the permissions.

Every attempt to write to the field via the php app (authenticated as member of addressbookadmin group) results in an "insufficient access" error. I enabled write permissions on the photo and physicaldeliveryofficelocation properties in the same manner and the php app updates these ok.

Any ideas?

Any way to check the AD logs to see if these can shed some light on the problem?

Thanks,
Eoin
0
Comment
Question by:eoinmccarthy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Expert Comment

by:ihuckaby
ID: 18812599
Off the top of my head, have you tried allowing universal priveleges (Everyone, Full Control) temporarily?  I have found "insufficient access" frequently means, "I can't find that thing, so you must not have access."

AD doesn't always play by the expected LDAP rules, and I find I frequently have to tweak my strings differently than I would have expected.
0
 

Author Comment

by:eoinmccarthy
ID: 18822453
Got it working. The ldap-ADUC-OAB mappings are correct. However, the way we set the permissions was causing the problem. Originally they were set using the Advanced security settings tabs. Used the "Delegate Control" wizard and it worked just fine. Don't ask me why - AD access control is definitely not my area.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21198113
PAQed with points refunded (125)

Computer101
EE Admin
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question