Cannot retrieve 'pwdLastSet' with anonymous bind to AD

O

ohaya

Hi,

I have to retrieve the 'pwdLastSet' attribute for a user from Active
Directory (Win2K Server), but I'm finding that if I use an anonymous
bind, I am not able to export it. If I do a simple bind (e.g., using
"cn=Administrator,cn=users,dc=whatever,dc=com", I can get it.

For example:

ldifde -f foo4 -s localhost -d
"cn=adpasswordexpired,cn=users,dc=whatever,dc=com" -r "(pwdlastset=*)"
-l pwdlastset -a "cn=administrator,cn=users,dc=whatever,dc=com" *

works, but:

ldifde -f foo4 -s localhost -d
"cn=adpasswordexpired,cn=users,dc=whatever,dc=com" -r "(pwdlastset=*)"
-l pwdlastset -a "" ""

returns nothing.

I thought that Win2K Server AD was enabled for anonymous binds by
default, so shouldn't I be able to access 'pwdLastSet'?

If I have to use a simple bind to get 'pwdLastSet', can anyone tell me
what kind of user I need to do the bind (e.g., has to be a member of
Administrators, etc.?), as I'd like to not to have to use cn=Administrator.

Thanks,
Jim
 
P

Paul Williams [MVP]

Anonymouse bind is allowed, but Anonymous doesn't have much access.

You need to do a simple bind. If you don't want to use Administrator
(good!), then you should delegate the ability for a specific group to read
this attribute. I'm not in a position to tell you which principals have
access to this by default, but I imagine authenticated users don't have read
access to this particular property.
 
J

Joe Richards [MVP]

You are binding fine. You just don't have permissions to see anything.
If you try that on a K3 DC you will see a message along the lines that a
successful bind is required.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
O

ohaya

Joe and Paul,

I found that if I do the bind with any user, I can access the
pwdLastSet, so I guess that's ok, i.e., I can setup a non-Administrator
user for this.

Thanks,
Jim
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Multiple OU's in csvde 0
Ldapsearch and AD 2
Add members to group with ldifde 0
How to programaticaly in VBS add user to a domain with exchange mailbox? 1
adprep /forestprep failed - What next?? 2
Import users to another domain with LDIFDE 1
LDIFDE export group membership with sAMAccountName 4
Setingt msNPAllowDialin alue using ldifde.exe fails 0

Top