views:

1115

answers:

2

When querying with LDAP against our Active Directory structure to look up user accounts, some records (but not all) are missing certain key fields, specifically memberOf and userAccountControl (which has a bit flag that indicates whether the account is disabled or not).

Here's a few refining details:

  • If the query is set to filter on any of those fields (such as getting a list of non-disabled accounts in the Marketing department group), they disappear from the result set (since as far as AD is concerned, they're missing).

  • If the query is performed with a highly-privileged domain admin account, the query works just fine.

  • The records with the problem is about 1/4 - 1/3 of the total user records. Most do seem to be newer records (we thought for a time that it was perhaps related to upgrading to 2003 on the domain controller server), although some older records seem affected as well.

  • A cursory look over two similar records, one whose entire record is viewable by any account, and another which isn't doesn't show any obvious differences.

So my best guess is that there's some sort of permission deny set (perhaps at the schema level?) which makes certain fields restricted. I should note that the domain administrators never knowingly set any such permissions.

UPDATE/RESOLUTION: ADSI Edit (in Windows 2003 Support Tools) helped me to nail it down to a change in the default permissions on the Authenticated User role. For some people, the role contained the Read Account Restrictions (which contains userAccountControl) and Read Group Membership (memberOf), and for others it didn't.

The original cause of the difference still isn't clear, although the fact that most of the "bad" records were created after a switch to Windows 2003 for the Domain Controller, that could be a factor.

SOLUTION: This is still a bit undecided, but will most likely be an updated Group Policy, combined with a script to update existing accounts.

+2  A: 

You can check the permission on the specific field of the specific users with adsi edit. Somehow thay must have been changed, and you will have to restore them to default. Maybe they where changed in the ou level of some of the users. In this case you can mass fix them.

Igal Serban
A: 

What is of interest is that both the attributes you suggested are sort of read only. Member (attribute on a group) is maintained in Active Directory. The MemberOf value on a User is calculated based on a query, and is not actually statically stored on the user object.

I am pretty sure userAccountControl is a read only attribute as well, via LDAP. (Other approaches are needed to manipulate it directly.).

Not sure if that helps, but might be a hint in the right direction. (Or else totally wrong..)

geoffc