Solved

Using DirSyncRequestControl (.NET, System.DirectoryServices) cause "The user has insufficient access rights" exception in case of Organization Unit (OU) search

Posted on 2013-01-11
2
1,972 Views
Last Modified: 2013-03-24
I'm using the following C# code to track changes applied on user objects of an Active Directory. The code uses cookies with DirSyncRequestControl in order to search and retrieve the latest changes applied to user info.

 //Create LDAP Connection
            LdapDirectoryIdentifier id = new LdapDirectoryIdentifier("mydomain.com", 389, true, false);
            LdapConnection connection = new LdapConnection(id);
            
            connection.AuthType = AuthType.Basic;
            connection.Credential = new NetworkCredential("example@mydomain.com", "123456");

            connection.SessionOptions.ProtocolVersion = 3; //Required in order to make paged searches

            connection.Bind();

            //Create Search Request object
            string[] attributes = { "samaccountname", "displayname", "name", "initials" };
            string baseDN = "DC=mydomain,DC=com";
            string ldapSearchFilter = "(objectClass=user)";

            SearchRequest request = new SearchRequest(baseDN, ldapSearchFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, attributes);
            
            //Load Cookie
            cookie = GetCookie();

            //Add Cookie
            DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, System.DirectoryServices.Protocols.DirectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
            request.Controls.Add(dirSyncRC);

            //Send Request
            SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);

            //Handle response
            foreach (SearchResultEntry entry in searchResponse.Entries)
            {
                Console.WriteLine(entry.DistinguishedName);
            }

Open in new window

Running the code against a valid Active Directory successfully retrieves latest changes for user info. The code has been tested on both Windows 2003/Windows 2008.

My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:

string baseDN = "OU=MyCompany,DC=mydomain,DC=com";

Open in new window


Running again the code, causes the following exception
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
                    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)                    

Open in new window


I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.

Is there any other possible cause that could prevent searching for a specific OU?
0
Comment
Question by:Anestis Psomas
  • 2
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 38767987
According to this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx
The base of a DirSync search must be the root of a directory partition, which can be a domain partition, the configuration partition, or the schema partition.
You would have to use LDAP filter to control results.

[Edit]
Take a look at LDAP assertion control.  I've never used it, but it seems like a possibility.
http://ff1959.wordpress.com/2011/08/05/mastering-the-ldap-assertion-control/

[Edit2]
...or not.  It doesn't appear to be a supported control on my domain (2008 R2 Mode)
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39016052
http://support.microsoft.com/kb/891995

See:
Method 2: USN queries using the uSNChanged attribute

Monitoring USN changes benefits and permissions
 There are two benefits with using the uSNChanged attribute to poll for Active Directory object changes. The first benefit is that an uSNChanged attribute value search can be confined to a specific area of Active Directory. For example, unlike the DirSync control, object change searches can be limited to a specific subtree in the directory.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now