AD LDS Group/Role Permissions/ACLs - Difference between Readers and Users

I have my authentication app working with AD LDS when LDS users are members of the Admin or Reader role. Those users are able to search the app partition. However I have an internal request to allow users that are members of the user role to also be able to search the partition. I suspect the problem is a permission or acl issue. So I attempted to dump these permissions for the reader and user roles. My goal is to determine the permission that I need and add it to the users role. I appreciate any advice you can give to help.

I apologize in advance for the length of this post. First here is my output from the dsacls cmd which does not seem to list anything for users role:

Owner: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

Group: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

Access list:

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Allow CN=Readers,CN=Roles,DC=AppPartFE,DC=com

SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

FULL CONTROL

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

Replicating Directory Changes

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

Replication Synchronization

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

Manage Replication Topology

Allow CN=Instances,CN=Roles,CN=Configuration,CN={875E7B3F-360F-4BE3-BA1F-8A5320A

B307D}

Replicating Directory Changes All

Permissions inherited to subobjects are:

Inherited to all subobjects

Allow CN=Readers,CN=Roles,DC=AppPartFE,DC=com

SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=AppPartFE,DC=com

FULL CONTROL

>>>Next is output from ldp.exe > View Tree...Advanced > Security Descriptor > Text Dump

Here it looks to me like users and readers have the same permissions which does not make sense to me.

Here is what users have:

-----------

Security Descriptor:

Security Descriptor:SD Revision: 1

SD Control: 0x8c04

SE_DACL_PRESENT

SE_DACL_AUTO_INHERITED

SE_SACL_AUTO_INHERITED

SE_SELF_RELATIVE

Owner: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

Group: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

DACL:

Revision 4

Size: 56 bytes

# Aces: 2

Ace[0]

Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE

Ace Size: 24 bytes

Ace Flags: 0x12

CONTAINER_INHERIT_ACE

INHERITED_ACE

Ace Mask: 0x00020094

READ_CONTROL

ACTRL_DS_LIST

ACTRL_DS_READ_PROP

ACTRL_DS_LIST_OBJECT

Ace Sid: CN=Readers,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-514]

Ace[1]

Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE

Ace Size: 24 bytes

Ace Flags: 0x12

CONTAINER_INHERIT_ACE

INHERITED_ACE

Ace Mask: 0x000f01ff

DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

ACTRL_DS_CREATE_CHILD

ACTRL_DS_DELETE_CHILD

ACTRL_DS_LIST

ACTRL_DS_SELF

ACTRL_DS_READ_PROP

ACTRL_DS_WRITE_PROP

ACTRL_DS_DELETE_TREE

ACTRL_DS_LIST_OBJECT

ACTRL_DS_CONTROL_ACCESS

Ace Sid: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

SACL not present

Security for "CN=Users,CN=Roles,DC=AppPartFE,DC=com"

-----------

Here is what readers have:

-----------

Security Descriptor:

Security Descriptor:SD Revision: 1

SD Control: 0x8c04

SE_DACL_PRESENT

SE_DACL_AUTO_INHERITED

SE_SACL_AUTO_INHERITED

SE_SELF_RELATIVE

Owner: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

Group: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

DACL:

Revision 4

Size: 56 bytes

# Aces: 2

Ace[0]

Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE

Ace Size: 24 bytes

Ace Flags: 0x12

CONTAINER_INHERIT_ACE

INHERITED_ACE

Ace Mask: 0x00020094

READ_CONTROL

ACTRL_DS_LIST

ACTRL_DS_READ_PROP

ACTRL_DS_LIST_OBJECT

Ace Sid: CN=Readers,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-514]

Ace[1]

Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE

Ace Size: 24 bytes

Ace Flags: 0x12

CONTAINER_INHERIT_ACE

INHERITED_ACE

Ace Mask: 0x000f01ff

DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

ACTRL_DS_CREATE_CHILD

ACTRL_DS_DELETE_CHILD

ACTRL_DS_LIST

ACTRL_DS_SELF

ACTRL_DS_READ_PROP

ACTRL_DS_WRITE_PROP

ACTRL_DS_DELETE_TREE

ACTRL_DS_LIST_OBJECT

ACTRL_DS_CONTROL_ACCESS

Ace Sid: CN=Administrators,CN=Roles,DC=AppPartFE,DC=com [S-1-393785894-280968348-512]

SACL not present

Security for "CN=Readers,CN=Roles,DC=AppPartFE,DC=com"

-----------

Thanks!

leo

AD LDS Group/Role Permissions/ACLs - Difference between Readers and Users

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112