?
Solved

Using DirSyncRequestControl (.NET, System.DirectoryServices) cause "The user has insufficient access rights" exception in case of Organization Unit (OU) search

Posted on 2013-01-11
2
Medium Priority
?
2,158 Views
Last Modified: 2013-03-24
I'm using the following C# code to track changes applied on user objects of an Active Directory. The code uses cookies with DirSyncRequestControl in order to search and retrieve the latest changes applied to user info.

 //Create LDAP Connection
            LdapDirectoryIdentifier id = new LdapDirectoryIdentifier("mydomain.com", 389, true, false);
            LdapConnection connection = new LdapConnection(id);
            
            connection.AuthType = AuthType.Basic;
            connection.Credential = new NetworkCredential("example@mydomain.com", "123456");

            connection.SessionOptions.ProtocolVersion = 3; //Required in order to make paged searches

            connection.Bind();

            //Create Search Request object
            string[] attributes = { "samaccountname", "displayname", "name", "initials" };
            string baseDN = "DC=mydomain,DC=com";
            string ldapSearchFilter = "(objectClass=user)";

            SearchRequest request = new SearchRequest(baseDN, ldapSearchFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, attributes);
            
            //Load Cookie
            cookie = GetCookie();

            //Add Cookie
            DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, System.DirectoryServices.Protocols.DirectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
            request.Controls.Add(dirSyncRC);

            //Send Request
            SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);

            //Handle response
            foreach (SearchResultEntry entry in searchResponse.Entries)
            {
                Console.WriteLine(entry.DistinguishedName);
            }

Open in new window

Running the code against a valid Active Directory successfully retrieves latest changes for user info. The code has been tested on both Windows 2003/Windows 2008.

My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:

string baseDN = "OU=MyCompany,DC=mydomain,DC=com";

Open in new window


Running again the code, causes the following exception
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
                    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)                    

Open in new window


I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.

Is there any other possible cause that could prevent searching for a specific OU?
0
Comment
Question by:Anestis Psomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 38767987
According to this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx
The base of a DirSync search must be the root of a directory partition, which can be a domain partition, the configuration partition, or the schema partition.
You would have to use LDAP filter to control results.

[Edit]
Take a look at LDAP assertion control.  I've never used it, but it seems like a possibility.
http://ff1959.wordpress.com/2011/08/05/mastering-the-ldap-assertion-control/

[Edit2]
...or not.  It doesn't appear to be a supported control on my domain (2008 R2 Mode)
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39016052
http://support.microsoft.com/kb/891995

See:
Method 2: USN queries using the uSNChanged attribute

Monitoring USN changes benefits and permissions
 There are two benefits with using the uSNChanged attribute to poll for Active Directory object changes. The first benefit is that an uSNChanged attribute value search can be confined to a specific area of Active Directory. For example, unlike the DirSync control, object change searches can be limited to a specific subtree in the directory.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month10 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question