Hello, all. This is the first post in what I hope will be a useful blog for the Windows admin community. In particular, the AD (or directory services in general) admins out there.
I work at one of Microsoft's Global Technical Support Centers providing support for Windows Directory Services every day. Working at Microsoft in that capacity has allowed me (and my colleagues) to see the common pitfalls as well as the less common, but very difficult scenarios. We get it all, but we're also more likely to see the more esoteric issues and know how to deal with them.
What I hope to do is post about once a week with a troubleshooting technique or scenario. Of course if there is a particular question anyone has, please ask. That's what this blog is for.
Small caveat: My forte is troubleshooting and fixing problems which are already occuring; that's simply what I deal with most often. For all other questions all I can say is that I will do my best to get you an answer (even if I pilfer it from a one of our resident brainiacs).
A little about me: I do technical support for Microsoft customers who use Active Directory. I've had the pleasure of providing support here at Microsoft for about eight years. In that time I've supported Windows client, worked the beta for Windows Millenium Edition (please look at that as a plus not a minus), worked as a partner technical lead with our outsource partners, been a support engineer, and now work as a support escalation engineer.
In the next few days I will be posting the first *technical* post (this certainly wasn't). So, come on back. Let's see if I can help when you do.
In AD, there is an OU that is inheriting from the parent Org. I have added a specific security group to have permissions to this ou, and all object. however, when logged in as a user of the security group, I receive the following error.
The Active Directory object could not be displayed. Unable to view attribute or value. You may not have permissions to view this object.
Kind of stumped on this one, any ideas?
I think it would be a good idea to review the permissions that are there. And perhaps to verify that the security group you used is, in fact, on the users token.
For the OU and object permissions part you can use DSACLS.EXE to dump them to a text file and review them. It's generally easier than going through the properties sheet of each.
More on that is here: http://support.microsoft.com/default.aspx/kb/281146
For the token, there's a lot of different ways to check this. A nice GUI one is to use Process Explorer and look at the security tab of the Properties of Explorer.exe.
Process Explorer can be gotten here:
Hope this helps!
These postings are provided "AS IS" with no warranties, and confer no rights.