Solved

Using DirSyncRequestControl (.NET, System.DirectoryServices) cause "The user has insufficient access rights" exception in case of Organization Unit (OU) search

Posted on 2013-01-11
2
2,054 Views
Last Modified: 2013-03-24
I'm using the following C# code to track changes applied on user objects of an Active Directory. The code uses cookies with DirSyncRequestControl in order to search and retrieve the latest changes applied to user info.

 //Create LDAP Connection
            LdapDirectoryIdentifier id = new LdapDirectoryIdentifier("mydomain.com", 389, true, false);
            LdapConnection connection = new LdapConnection(id);
            
            connection.AuthType = AuthType.Basic;
            connection.Credential = new NetworkCredential("example@mydomain.com", "123456");

            connection.SessionOptions.ProtocolVersion = 3; //Required in order to make paged searches

            connection.Bind();

            //Create Search Request object
            string[] attributes = { "samaccountname", "displayname", "name", "initials" };
            string baseDN = "DC=mydomain,DC=com";
            string ldapSearchFilter = "(objectClass=user)";

            SearchRequest request = new SearchRequest(baseDN, ldapSearchFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, attributes);
            
            //Load Cookie
            cookie = GetCookie();

            //Add Cookie
            DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(cookie, System.DirectoryServices.Protocols.DirectorySynchronizationOptions.IncrementalValues, Int32.MaxValue);
            request.Controls.Add(dirSyncRC);

            //Send Request
            SearchResponse searchResponse = (SearchResponse)connection.SendRequest(request);

            //Handle response
            foreach (SearchResultEntry entry in searchResponse.Entries)
            {
                Console.WriteLine(entry.DistinguishedName);
            }

Open in new window

Running the code against a valid Active Directory successfully retrieves latest changes for user info. The code has been tested on both Windows 2003/Windows 2008.

My problem is that I would like to limit my search on a specific AD Organization Unit (OU). So on the previous code I'm changing baseDN to the following:

string baseDN = "OU=MyCompany,DC=mydomain,DC=com";

Open in new window


Running again the code, causes the following exception
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
                    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
                    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)                    

Open in new window


I found that "Replicating Directory Permissions" may cause the problem and should applied for the user, but i had no luck. The exception "The user has insufficient access rights." is throwed for every OU although i provided my user with all the permissions that could possible including inheritance cases.

Is there any other possible cause that could prevent searching for a specific OU?
0
Comment
Question by:Anestis Psomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 38767987
According to this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx
The base of a DirSync search must be the root of a directory partition, which can be a domain partition, the configuration partition, or the schema partition.
You would have to use LDAP filter to control results.

[Edit]
Take a look at LDAP assertion control.  I've never used it, but it seems like a possibility.
http://ff1959.wordpress.com/2011/08/05/mastering-the-ldap-assertion-control/

[Edit2]
...or not.  It doesn't appear to be a supported control on my domain (2008 R2 Mode)
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39016052
http://support.microsoft.com/kb/891995

See:
Method 2: USN queries using the uSNChanged attribute

Monitoring USN changes benefits and permissions
 There are two benefits with using the uSNChanged attribute to poll for Active Directory object changes. The first benefit is that an uSNChanged attribute value search can be confined to a specific area of Active Directory. For example, unlike the DirSync control, object change searches can be limited to a specific subtree in the directory.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question