When you run an LDAP query against a Windows Server 2008-based domain controller, you obtain a partial attribute list
When you run a Lightweight Directory Access Protocol (LDAP) query against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list.
Note: You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.
The user account that you use to run the LDAP query has the following properties:
- The account is a member of the built-in Administrators group.
- The account is not the built-in administrator account.
- The account is a member of the Domain Admins group.
- The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
- The effective permissions of the object that you query against shows that the user has full control permission.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB976063.