Using DirSyncRequestControl (.NET, System.DirectoryServices) cause "The user has insufficient access rights" exception in case of Organization Unit (OU) search

I'm using the following C# code to track changes applied on user objects of an Active Directory. The code uses cookies with DirSyncRequestControl in order to search and retrieve the latest changes applied to user info.

 //Create LDAP Connection
            LdapDirectoryIdentifier id = new LdapDirectoryIdentifier("mydomain.com", 389, true, false);
            LdapConnection connection = new LdapConnection(id);
            
            connection.AuthType = AuthType.Basic;
            connection.Credential = new NetworkCredential("example@mydomain.com", "123456");

            connection.SessionOptions.ProtocolVersion = 3; //Required in order to make paged searches

            connection.Bind();

            //Create Search Request object
            string[] attributes = { "samaccountname", "displayname", "name", "initials" };
            string baseDN = "DC=mydomain,DC=com";
            string ldapSearchFilter = "(objectClass=user)";

            SearchRequest request = new SearchRequest(baseDN, ldapSearchFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, attributes);
            
            //Load Cookie
            cookie = GetCookie();

            //Add Cookie
            DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, System.DirectoryServices.Protocols.DirectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
            request.Controls.Add(dirSyncRC);

            //Send Request
            SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);

            //Handle response
            foreach (SearchResultEntry entry in searchResponse.Entries)
            {
                Console.WriteLine(entry.DistinguishedName);
            }

Open in new window

Running the code against a valid Active Directory successfully retrieves latest changes for user info. The code has been tested on both Windows 2003/Windows 2008.

My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:

string baseDN = "OU=MyCompany,DC=mydomain,DC=com";

Open in new window


Running again the code, causes the following exception
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
                    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)                    

Open in new window


I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.

Is there any other possible cause that could prevent searching for a specific OU?
Anestis PsomasSystem and Network AdministratorAsked:
Who is Participating?
 
Tony MassaConnect With a Mentor Commented:
According to this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx
The base of a DirSync search must be the root of a directory partition, which can be a domain partition, the configuration partition, or the schema partition.
You would have to use LDAP filter to control results.

[Edit]
Take a look at LDAP assertion control.  I've never used it, but it seems like a possibility.
http://ff1959.wordpress.com/2011/08/05/mastering-the-ldap-assertion-control/

[Edit2]
...or not.  It doesn't appear to be a supported control on my domain (2008 R2 Mode)
0
 
Tony MassaCommented:
http://support.microsoft.com/kb/891995

See:
Method 2: USN queries using the uSNChanged attribute

Monitoring USN changes benefits and permissions
 There are two benefits with using the uSNChanged attribute to poll for Active Directory object changes. The first benefit is that an uSNChanged attribute value search can be confined to a specific area of Active Directory. For example, unlike the DirSync control, object change searches can be limited to a specific subtree in the directory.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.