LDAP Query for "memberof" Attribute

[Charlie]

We have separate Windows 2000 AD environments for dev, qa,
uat, staging, prod.

In our dev. environment we are able to bind to AD via LDAP
port 389 using ldp.exe. We bind (simple bind)using a
normal,unprivileged account (account is only member of
Domain Users). When doing a search for the memberof
attribute (shows the groups which the account is a
member), it is able to retrieve the "memberof" attributes
for user accounts.

However, in the other environments using an identically
named account with the same privilege level, the search
cannot retrieve the "memberof" attribute. But when I bind
using an account of higher privilege (Domain Admin), I can
retrieve the "memberof" attribute.

The environments were "allegedly" vanilla installs of AD.
I am not an LDAP guru by any means, but here are the areas
I checked:

I used LDIFDE and received the same result.

Using ADSI I checked the Configuration
Container/services/windowsnt/directory service/Query-
Policies. Both looked identical to me.

I started to check the schema container but quickly
realized I might get better results here.

The one thing I did not do was bind using SSPI method (-b
flag in LDIFDE)

It looks like a permission issue, but where do I configure
it and what's the setting?

Any LDAP gurus available to help?

Thanks very much.

 

[Charlie]

Well, with the help of one of the more savvy Win2K admins,
we were able to figure this one out ourselves.

For the record, the Read Group Membership security setting
for "Authenticated Users" was checked.

The difference between the two environments was that
the "everyone" group was not nested in the "Pre-Windows
2000 Compatable Access" Group. This can be configured
during the install process or added later, but does
require a reboot for post-install configurations.