When you run a Lightweight Directory Access Protocol (LDAP) query against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list.
Note: You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.
The user account that you use to run the LDAP query has the following properties:
- The account is a member of the built-in Administrators group.
- The account is not the built-in administrator account.
- The account is a member of the Domain Admins group.
- The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
- The effective permissions of the object that you query against shows that the user has full control permission.