Using DirSyncRequestControl (.NET, System.DirectoryServices) cause "The user has insufficient access rights" exception in case of Organization Unit (OU) search

I'm using the following C# code to track changes applied on user objects of an Active Directory. The code uses cookies with DirSyncRequestControl in order to search and retrieve the latest changes applied to user info.

 //Create LDAP Connection
            LdapDirectoryIdentifier id = new LdapDirectoryIdentifier("mydomain.com", 389, true, false);
            LdapConnection connection = new LdapConnection(id);
            
            connection.AuthType = AuthType.Basic;
            connection.Credential = new NetworkCredential("example@mydomain.com", "123456");

            connection.SessionOptions.ProtocolVersion = 3; //Required in order to make paged searches

            connection.Bind();

            //Create Search Request object
            string[] attributes = { "samaccountname", "displayname", "name", "initials" };
            string baseDN = "DC=mydomain,DC=com";
            string ldapSearchFilter = "(objectClass=user)";

            SearchRequest request = new SearchRequest(baseDN, ldapSearchFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, attributes);
            
            //Load Cookie
            cookie = GetCookie();

            //Add Cookie
            DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, System.DirectoryServices.Protocols.DirectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
            request.Controls.Add(dirSyncRC);

            //Send Request
            SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);

            //Handle response
            foreach (SearchResultEntry entry in searchResponse.Entries)
            {
                Console.WriteLine(entry.DistinguishedName);
            }

Open in new window

Running the code against a valid Active Directory successfully retrieves latest changes for user info. The code has been tested on both Windows 2003/Windows 2008.

My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:

string baseDN = "OU=MyCompany,DC=mydomain,DC=com";

Open in new window


Running again the code, causes the following exception
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
                    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)                    

Open in new window


I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.

Is there any other possible cause that could prevent searching for a specific OU?
Anestis PsomasSystem and Network AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony MassaCommented:
According to this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx
The base of a DirSync search must be the root of a directory partition, which can be a domain partition, the configuration partition, or the schema partition.
You would have to use LDAP filter to control results.

[Edit]
Take a look at LDAP assertion control.  I've never used it, but it seems like a possibility.
http://ff1959.wordpress.com/2011/08/05/mastering-the-ldap-assertion-control/

[Edit2]
...or not.  It doesn't appear to be a supported control on my domain (2008 R2 Mode)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tony MassaCommented:
http://support.microsoft.com/kb/891995

See:
Method 2: USN queries using the uSNChanged attribute

Monitoring USN changes benefits and permissions
 There are two benefits with using the uSNChanged attribute to poll for Active Directory object changes. The first benefit is that an uSNChanged attribute value search can be confined to a specific area of Active Directory. For example, unlike the DirSync control, object change searches can be limited to a specific subtree in the directory.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.