KB976063

When you run a Lightweight Directory Access Protocol (LDAP) query against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list.

Note: You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.

The user account that you use to run the LDAP query has the following properties:

  • The account is a member of the built-in Administrators group.
  • The account is not the built-in administrator account.
  • The account is a member of the Domain Admins group.
  • The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
  • The effective permissions of the object that you query against shows that the user has full control permission.

Leave a Reply