Read access to Active Directory property (uSNChanged)
Posted
by
Tom Ligda
on Server Fault
See other posts from Server Fault
or by Tom Ligda
Published on 2012-10-31T01:13:40Z
Indexed on
2012/11/05
23:04 UTC
Read the original article
Hit count: 187
active-directory
|windows-server
I have an issue with read access to the uSNChanged property when doing LDAP searches.
If I do an LDAP search with a user that is a member of the Domain Admins group (UserA), I can see the uSNChanged property for every user.
The problem is that if I do an LDAP search with a user (UserB) that is not a member of the Domain Admins group, I can see the uSNChanged property for some users (UserGroupA) and not for some users (UserGroupB).
When I look at the users in UserGroupA and compare them to the users in UserGroupB, I see a crucial difference in the "Security" tab. The users in UserGroupA have the "Include inheritable permissions from this object's parent" unchecked. The users in UserGroupB have that option checked.
I also noticed that the users in UserGroupA are users that were created earlier. The users in UserGroupB are users created recently. It's difficult to quantify, but I estimate the border between creation time between the users in UserGroupA and UserGroupB is about 6 months ago.
What can cause the user creation to default to having that security property checked as opposed to unchecked? A while back (maybe around 6 months ago?) I changed the domain functional level from Windows Server 2003 to Windows Server 2008 R2. Would that have had this effect? (I can't exactly downgrade the domain functional level to test it out.)
Is this security property actually the cause of the issue with read access to the uSNChanged property on LDAP searches? It seems correlated, but I'm not sure about causation.
What I want in the end is for all authenticated users to have read access to the uSNChanged property for all users when doing an LDAP search. I would also be OK if I could grant read access for that property to an AD group. Then I can control access by adding members to the group.
© Server Fault or respective owner