Microsoft KB Archive/185475

= LDAP search returns no entries for hidden or deleted objects =

Article ID: 185475

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q185475





SYMPTOMS
Using LDAP with Simple Authentication and appending cn=Admin to the username does not return hidden or deleted objects.

The use of cn=Admin is discussed briefly in the Microsoft TechNet documentation in the following white paper:

"Active Directory Service Interfaces in the Microsoft Exchange 5.5 Environment"

To view the whitepaper, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/exchange/55/support/adsi.mspx



CAUSE
During an attempt by the Microsoft Exchange Server directory Service to determine whether the user who is logged on has View Only Admin rights (or greater), a Windows NT system call fails, which causes the user to be denied the right to view hidden and deleted objects.

The system service attempts to access a thread token, and the Discretionary Access Control List (DACL) on the impersonated thread may vary based on the type of impersonation. (For instance, whether ImpersonateLoggedOnUser or ImpersonateNamedPipeClient was called.)

For basic authentication (required in order to pass the cn=Admin argument), the thread token was inaccessible to the impersonated client.



WORKAROUND
To work around this problem, make the Exchange Server Service account a member of the Local Administrators group.

Additional query words: Empty query queries LDAP response results ADSI

Keywords: kbbug KB185475

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.