LDAP search returns no entries for hidden or deleted objects (185475)
The information in this article applies to:
- Microsoft Exchange Server 5.5
This article was previously published under Q185475 SYMPTOMS
Using LDAP with Simple Authentication and appending cn=Admin to the
username does not return hidden or deleted objects.
The use of cn=Admin is discussed briefly in the Microsoft TechNet documentation in the following white paper:
"Active Directory Service Interfaces in the Microsoft Exchange 5.5
Environment"
To view the whitepaper, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/exchange/55/support/adsi.mspxCAUSE
During an attempt by the Microsoft Exchange Server directory Service to
determine whether the user who is logged on has View Only Admin rights (or
greater), a Windows NT system call fails, which causes the user to be
denied the right to view hidden and deleted objects.
The system service attempts to access a thread token, and the Discretionary
Access Control List (DACL) on the impersonated thread may vary based on the
type of impersonation. (For instance, whether ImpersonateLoggedOnUser() or
ImpersonateNamedPipeClient() was called.)
For basic authentication (required in order to pass the cn=Admin argument),
the thread token was inaccessible to the impersonated client.
WORKAROUND
To work around this problem, make the Exchange Server Service account a
member of the Local Administrators group.
| Modification Type: | Minor | Last Reviewed: | 4/28/2005 |
|---|
| Keywords: | kbbug KB185475 |
|---|
|