> -----Original Message----- > From: Barrett, John [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 14, 2004 2:24 PM
> I'm not sure exactly what the AD admin did but I think he first tried > giving me write access to only the attributes I need to modify, then > full on users, then full control all objects, entire domain, then Domain > Admin which is what finally worked. > > I've written a script (below) that runs on a Unix server and modifies > > AD attributes. It works fine if the user I'm binding as is given > > Domain Admin privileges. The AD admins don't want to give me that > > much power (and I really don't want it) but when they back the > > privileges off to what they think should work I get "insufficient > > access" errors: > > > > update error: 00002098: SecErr: DSID-03150646, problem 4003 > > (INSUFF_ACCESS_RIGHTS), data 0 > > > > The only thing that seems to work is Domain Admin. The AD admins > > claim that I am not "presenting the security context correctly." I'm > > using simple bind. Is there anything I can do differently? Would SASL > I'd suggest having the AD admins configure your access as they expect it should be and then grabbing a network capture of your script failure. It should be plain in the capture which request caused the rights issue. Given the progression of rights you list, it's possible you're unknowingly searching on objects in another naming context (i.e. Configuration) that you didn't have rights on until you were DA.
