Anestis Psomas
asked on
Using DirSyncRequestControl (.NET, System.DirectoryServices) cause "The user has insufficient access rights" exception in case of Organization Unit (OU) search
I'm using the following C# code to track changes applied on user objects of an Active Directory. The code uses cookies with DirSyncRequestControl in order to search and retrieve the latest changes applied to user info.
My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:
Running again the code, causes the following exception
I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.
Is there any other possible cause that could prevent searching for a specific OU?
//Create LDAP Connection
LdapDirectoryIdentifier id = new LdapDirectoryIdentifier("mydomain.com", 389, true, false);
LdapConnection connection = new LdapConnection(id);
connection.AuthType = AuthType.Basic;
connection.Credential = new NetworkCredential("example@mydomain.com", "123456");
connection.SessionOptions.ProtocolVersion = 3; //Required in order to make paged searches
connection.Bind();
//Create Search Request object
string[] attributes = { "samaccountname", "displayname", "name", "initials" };
string baseDN = "DC=mydomain,DC=com";
string ldapSearchFilter = "(objectClass=user)";
SearchRequest request = new SearchRequest(baseDN, ldapSearchFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, attributes);
//Load Cookie
cookie = GetCookie();
//Add Cookie
DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, System.DirectoryServices.Protocols.DirectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
request.Controls.Add(dirSyncRC);
//Send Request
SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);
//Handle response
foreach (SearchResultEntry entry in searchResponse.Entries)
{
Console.WriteLine(entry.DistinguishedName);
}
Running the code against a valid Active Directory successfully retrieves latest changes for user info. The code has been tested on both Windows 2003/Windows 2008.My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:
string baseDN = "OU=MyCompany,DC=mydomain,DC=com";
Running again the code, causes the following exception
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.
Is there any other possible cause that could prevent searching for a specific OU?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
See:
Method 2: USN queries using the uSNChanged attribute