Hey Sakari, do you have a trace showing the ADSI failure and its resulting success if run by DA that you can post?
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Thursday, July 20, 2006 6:26 PM To: [email protected] Subject: [ActiveDir] RootDSE requires admin privileges Hi, I wonder if anyone else has run into a situation, where normal ADSI rootDSE binding doesn't work, unless the user is a domain admin? The following two-line script is a sample: Set objDSE = GetObject("LDAP://rootDSE") WScript.Echo objDSE.Get("defaultNamingContext") The first line produces the error 800401E4 (invalid syntax), if an end user runs the lines on an XP SP1 workstation in my tiny dev forest. - If the same user logs on to a DC (everyone is allowed to log on to them in this case) and runs the lines, they work fine. - If the same user is put in Domain Admins, the lines work fine even on the previously mentiones XP workstation. - If the same user (without being an admin) starts LDP on the XP workstation, she'll get the rootDSE information in LDP. This is only a two-DC dev forest (with one root domain and one child domain), but I wonder if this could happen in production too? The DCs are Windows Server 2003, and not even SP1, because they originate from a project I did early last year, and now returned to it. Even though the DCs were frozen for quite a while as Virtual PC images, replication works quite fine and the tombstone lifetime is 10 years. Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
