What attributes are you trying to modify?? -D
----- Original Message ----- From: "Barrett, John" <[EMAIL PROTECTED]> To: "Ken Cornetet" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, October 14, 2004 11:24 PM Subject: RE: AD Authentication I'm not sure exactly what the AD admin did but I think he first tried giving me write access to only the attributes I need to modify, then full on users, then full control all objects, entire domain, then Domain Admin which is what finally worked. I really don't want Domain Admin rights. I will be questioned every time something happens. Perhaps it's time to interrogate Microsoft. -----Original Message----- To my knowledge, the only thing AD requires secured LDAP connections for is changing passwords. How did your AD admin "back off the privileges"? Have your AD admin run the delegation wizard at the root of your domain, and give you full control over all objects. See if that works. -----Original Message----- On 13/10/04 10:59 pm, Barrett, John <[EMAIL PROTECTED]> wrote: > I've written a script (below) that runs on a Unix server and modifies > AD attributes. It works fine if the user I'm binding as is given > Domain Admin privileges. The AD admins don't want to give me that > much power (and I really don't want it) but when they back the > privileges off to what they think should work I get "insufficient > access" errors: > > update error: 00002098: SecErr: DSID-03150646, problem 4003 > (INSUFF_ACCESS_RIGHTS), data 0 > > The only thing that seems to work is Domain Admin. The AD admins > claim that I am not "presenting the security context correctly." I'm > using simple bind. Is there anything I can do differently? Would SASL > help? ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. 113
