Hi Joe, I installed NetMon on that workstation and it seems that nothing gets out on the wire with the failure case. And quite normal LDAP searches in the success case.
I also did a little more testing and found out that the user doesn't need to be a domain admin for the script lines to work. A local admin in the workstation is enough (but still the same user). Then I installed a second similar XP workstation in the forest, and it doesn't have this problem. So it seems that something funny has happened in the first workstation that breaks ADSI. Probably not worth to explore any further. Yours, Sakari -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 21. heinäkuuta 2006 3:31 To: [email protected] Subject: RE: [ActiveDir] RootDSE requires admin privileges Hey Sakari, do you have a trace showing the ADSI failure and its resulting success if run by DA that you can post? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Thursday, July 20, 2006 6:26 PM To: [email protected] Subject: [ActiveDir] RootDSE requires admin privileges Hi, I wonder if anyone else has run into a situation, where normal ADSI rootDSE binding doesn't work, unless the user is a domain admin? The following two-line script is a sample: Set objDSE = GetObject("LDAP://rootDSE") WScript.Echo objDSE.Get("defaultNamingContext") The first line produces the error 800401E4 (invalid syntax), if an end user runs the lines on an XP SP1 workstation in my tiny dev forest. - If the same user logs on to a DC (everyone is allowed to log on to them in this case) and runs the lines, they work fine. - If the same user is put in Domain Admins, the lines work fine even on the previously mentiones XP workstation. - If the same user (without being an admin) starts LDP on the XP workstation, she'll get the rootDSE information in LDP. This is only a two-DC dev forest (with one root domain and one child domain), but I wonder if this could happen in production too? The DCs are Windows Server 2003, and not even SP1, because they originate from a project I did early last year, and now returned to it. Even though the DCs were frozen for quite a while as Virtual PC images, replication works quite fine and the tombstone lifetime is 10 years. Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
