3

We use this code to query an ADAM instance.

DirectoryEntry adRoot = new DirectoryEntry(ConfigurationManager.AppSettings["LdapConnectionString"].ToString());

DirectorySearcher adSearch = new DirectorySearcher(adRoot);
adSearch.Filter = "(&(objectClass=user)(objectCategory=person))";
SearchResultCollection searchResults = adSearch.FindAll();

return searchResults;

This is in a tag in App.config:
add key="LdapConnectionString" value="LDAP://servername:portnumber/dc=domainname"
We use the code to print out all the property names that we are retrieving from an ADAM instance.

DirectoryEntry entry = searchResults[0].GetDirectoryEntry();
foreach (string property in entry.Properties.PropertyNames)  
{  
    Console.WriteLine(property);  
}

PropertiesToLoad is the empty StringCollection, PropertyNamesOnly is false.

We aren't retrieving proxyAddresses, street, zipCode, and many other attributes we need for our program.
I found here that:

If you do not specify a list of attributes, the search returns values for all attributes permitted by the access control set in the directory.

So, my question...where is this access control set and how would we modify it so we could have access to those attributes?

seekerOfKnowledge
  • 133
  • 1
  • 5

3 Answers3

1

Use ADSIEdit, you can break stuff so be careful. (http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx)

I've never had to go that deep, it's a little buried. You open up ADSIEdit and get to the object you want to have a look at (or a whole container/OU), right click and go to "properties."

Click on the security tab, click the "advanced" button, click on "edit" to have a peek at what you can do (don't make any changes yet). You'll see the standard permissions like "Full Control" or "Modify Owner" and above where it applies "This object only"

There is another tab "Properties" right where you are - where all the goodies are. "Read business roles" and "Read Proxy Addresses" and such are there.

You can add a new group, tick the boxes you like in there, have it apply to the entire container or OU and you should be good to go.

Matt
  • 1,903
  • 13
  • 12
  • +1 for the general warning to be uber careful with ADSIEdit but since this is an ADAM instance the impact of getting it wrong aren't so severe and he may need to use the ADAM ADSIEdit, although I'm not 100% sure of that. http://technet.microsoft.com/en-us/library/cc755803(WS.10).aspx – Helvick Sep 14 '10 at 16:57
  • I forgot to specify that it's a Windows 2003 R2 server. This version of ADSIEdit only has "Attribute Editor" when you right click and click properties. – seekerOfKnowledge Sep 14 '10 at 18:16
  • I was walking through the steps using 2003 R2. Are you sure the account you are using has Domain/Enterprise Admin type permissions when you are running ADSIEdit? If it doesn't you probably won't get far. – Matt Sep 14 '10 at 20:32
  • Oh, so, what you're saying is if I had Domain Admin permissions, the tabs would be there. That makes sense, but I didn't think of that. And you are right in that the account I was given to use is not a domain admin. What I wanted to know is what would I want to send to someone who was a domain admin so I could request for the permissions I needed. Good to know that the tabs do not show up for users who aren't domain admins. – seekerOfKnowledge Sep 15 '10 at 17:39
  • Yep - those tabs probably don't show up without the proper permissions. Never tried running that without them since you wouldn't be able to "fix" anything. :) You should be able to let them know what you want, point them to this post if they aren't quite clear on how to do it, and you'll be off and running. :) – Matt Sep 15 '10 at 17:46
0

This is really a function of two things:

  1. The user context in which the query is run.

  2. The ACE's on the object(s) being read.

My question to you is under what user context is the query running?

Authenticated users should have the ability to read all properties, if I'm not mistaken.

In addition, you should be able to facilitate this via the Delegation of Control wizard as well as via ADSIEdit.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • The query is run under the root user, which has local admin, but not domain admin, which is most likely the problem, but we don't feel we will be granted domain admin. I need to be able to go to my team lead with exactly what it is we need to request to be changed, and as in my comment to the other question, I should have specified this is a Windows 2003 R2 server. – seekerOfKnowledge Sep 14 '10 at 18:18
  • Is the root user a domain user? Does the user have an account in the domain being queried? – joeqwerty Sep 14 '10 at 18:27
0

http://support.microsoft.com/kb/281146

It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

The syntax is fun to learn, but I've been able to successfully deny access on a sandbox environment with ADAM using the ADAM Command Line Prompt with:

dsacls "\localhost\OU=ouname,OU=ou2name,DC=domainname,DC=domainname2" /d domain\group:GR

/d denies domain\group GR (Generic read) which includes many properties like proxyAddresses, street, and many others. I'll need to ask them to grant the group root is a member of GR or make me another user or something. Either way, we figured it out.

seekerOfKnowledge
  • 133
  • 1
  • 5