Article ID: 233234
Article Last Modified on 6/11/2002
APPLIES TO
- Microsoft Site Server 3.0 Standard Edition
- Microsoft Active Directory Service Interfaces 2.5
This article was previously published under Q233234
SYMPTOMS
When retrieving the ntSecurityDescriptor of an object in the Membership Directory, you encounter the following error:
CAUSE
Site Server 3.0 does not advertise the fact that it accepts the "ntSecurityDescriptor" control, so Active Directory Service Interfaces (ADSI) 2.5 does not send it and, thus, the property cache will not contain the "ntSecurityDescriptor" by default. ADSI 2.5 was changed to avoid two roundtrips each time for servers that don't support this control. In ADSI 2.0 this works because this version of the program always sends the control, and if the server generates an error, the program sends the request again without the control.
RESOLUTION
You must first explicitly load the "ntSecurityDescriptor" attribute into the property cache using the IADs::GetInfoEx() method before requesting it. For example:
Dim adsObject Dim objSecurityDesc 'Bind to the object in the directory Set adsObject = GetObject("LDAP://myserver:1003/o=Microsoft/ou=Members") 'Load the ntSecurityDescriptor into the property cache Call adsObject.GetInfoEx(Array("ntSecurityDescriptor"), 0) 'Now you can retrieve the ntSecurityDescriptor Set objSecurityDesc = adsObject.Get("ntSecurityDescriptor")
Note that if your directory is secured, you must bind to the object using IADsOpenObject::OpenDSObject() (to perform an authenticated bind) rather than using GetObject().
STATUS
This behavior is by design.
REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
224924 MDM Does Not Display Object ACEs after Install of ADSI 2.5
Additional query words: 8000500D
Keywords: kbprb KB233234