Windows or 3rd party firewall related?? -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Sakari Kouti > Sent: Saturday, July 22, 2006 11:39 AM > To: [email protected] > Subject: RE: [ActiveDir] RootDSE requires admin privileges > > Hi Joe, > > I installed NetMon on that workstation and it seems that nothing gets > out on the wire with the failure case. And quite normal LDAP searches > in the success case. > > I also did a little more testing and found out that the user doesn't > need to be a domain admin for the script lines to work. A local admin > in the workstation is enough (but still the same user). > > Then I installed a second similar XP workstation in the forest, and it > doesn't have this problem. > > So it seems that something funny has happened in the first workstation > that breaks ADSI. Probably not worth to explore any further. > > Yours, Sakari > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of joe > Sent: 21. heinäkuuta 2006 3:31 > To: [email protected] > Subject: RE: [ActiveDir] RootDSE requires admin privileges > > Hey Sakari, do you have a trace showing the ADSI failure and its > resulting success if run by DA that you can post? > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti > Sent: Thursday, July 20, 2006 6:26 PM > To: [email protected] > Subject: [ActiveDir] RootDSE requires admin privileges > > Hi, > > I wonder if anyone else has run into a situation, where normal ADSI > rootDSE binding doesn't work, unless the user is a domain admin? > > The following two-line script is a sample: > Set objDSE = GetObject("LDAP://rootDSE") WScript.Echo > objDSE.Get("defaultNamingContext") > > The first line produces the error 800401E4 (invalid syntax), if an end > user runs the lines on an XP SP1 workstation in my tiny dev forest. > > - If the same user logs on to a DC (everyone is allowed to log on to > them in this case) and runs the lines, they work fine. > > - If the same user is put in Domain Admins, the lines work fine even on > the previously mentiones XP workstation. > > - If the same user (without being an admin) starts LDP on the XP > workstation, she'll get the rootDSE information in LDP. > > This is only a two-DC dev forest (with one root domain and one child > domain), but I wonder if this could happen in production too? The DCs > are Windows Server 2003, and not even SP1, because they originate from > a project I did early last year, and now returned to it. Even though > the DCs were frozen for quite a while as Virtual PC images, replication > works quite fine and the tombstone lifetime is 10 years. > > Yours, Sakari > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
