No announcement yet.

Active Directory attribute listing: Windows server vs SBS 2003

  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory attribute listing: Windows server vs SBS 2003

    In order to collect data from Active Directory servers, we create a user in Active Directory, and allow it read permission on Active Directory:
    [Click Start > Active Directory Users and Computers. In the menu click View > Advanced features. Right click on the domain name, in the menu click Properties. Select the Security tab, click Add and add the new ‘user’ account you have just created. Assign it the Read permission only.]

    Then a remote computer connects to port 3268 Global Catalog with this user login and password to collect other user data by browsing the Active Directory server LDAP contents.

    After binding properly we either use the Softerra LDAP browser or issue a search like:
    Lightweight Directory Access Protocol
    LDAP Message, Search Request
    Message Id: 5346
    Message Type: Search Request (0x03)
    Message Length: 146
    Response In: 7
    Base DN: DC=vircomeurope,DC=com
    Scope: Subtree (0x02)
    Dereference: Never (0x00)
    Size Limit: 0
    Time Limit: 30
    Attributes Only: False
    Filter: (|([email protected])(proxyAddresses=smtp:user [email protected]))

    This returns user LDAP data. We notice that only with SBS 2003, some attributes are not returned. Are missing:
    - sn
    - instanceType
    - whenCreated
    - whenChanged
    - uSNCreated
    - memberOf
    - uSNChanged
    - userAccountControl
    - dSCorePropagationData

    An identical request to an Active Directory from Windows 2000 & 2003 server, get all these attributes listed properly.

    With Active Directory from Small Business Server 2003 (SBS 2003), these few Active Directory attributes are not listed to the external browser. We need some of these missing attributes listed.

    Making the browsing SBS user member of the “Account Operators” or “Enterprise Admins” or “Domain Poser User” groups, does list all attributes while LDAP browsing, but causes a security breach if the distant computer connects through the Internet without encryption.

    Would you know how to list these extra attributes with SBS, as it does by default in Windows server Active Directory ?
    Last edited by obirle; 10th May 2007, 16:31. Reason: Clarification

  • #2
    Re: Active Directory attribute listing: Windows server vs SBS 2003

    I found out how to assign permissions to allow a user configured in SBS 2003 (as detailed in the question) to read all user data from port 389 or 3268 after LDAP login.

    A further permission needs to be applied for Small Business Server only. (Due to internal restrictions, SBS does not assign the same default Active Directory LDAP read permissions. These further steps are not required with Active Directory on a standard Windows server.)

    - In Active Directory Users and Computers right-click on the root of the tree for the domain, select All Tasks > Delegate Control.
    This starts the Delegation Wizard.
    - Click Next.
    - Click Add.
    - Click Advanced.
    - Click Find Now
    - Select the user account you have created to read user data from Active Directory, and Click OK
    - Click OK
    - Click Next.
    - Select Delegate the following common tasks, and enable 'Read all user information'. Click Next.
    - Click Finish to complete permission assignment.
    A few minutes might be necessary to make these new permissions active.

    Now the user account can log in on port 389 or 3268, and read all data of all users.