rights/permission to search for tombstone objects via ADSI

rights/permission to search for tombstone objects via ADSI

Post by vu » Sun, 28 Apr 2002 03:39:50



I'm having some problem with doing a tombstones search...
unless I am authenticated with active directory via an admin account
or an account whose "Member Of" includes either the Addmin or Domain
Addmin group (I have not tried all others), the search seems to always
return no tombstone!

my code is based on MSDN sample "Example Code to Retrieve Changes
Using USNChanged"

below is a simplified snippet of my code

this is how I get the rootDSE interface

// Bind to root DSE.
wcscpy(szDSPath, szServerPath);
wcscat(szDSPath, L"rootDSE");
hr = ADsOpenObject(szDSPath,

                 "someone'spassword",
                 ADS_SECURE_AUTHENTICATION,
                 IID_IADs,
                 (void**)&pRootDSE);
if (FAILED(hr)) {
    wprintf(L"failed to bind to root: 0x%x\n", hr);
    goto cleanup;

Quote:}

// Bind to the Deleted Objects container.
hr = pRootDSE->Get(L"defaultNamingContext",&var);
swprintf(szDSPath,
         L"%s<WKGUID=%s,%s>",
         szServerPath, GUID_DELETED_OBJECTS_CONTAINER_W, var.bstrVal);
VariantClear(&var);
hr = ADsOpenObject(szDSPath,

                 "someone'spassword",
                 ADS_SECURE_AUTHENTICATION | ADS_FAST_BIND,
                 IID_IDirectorySearch,
                 (void**)&pSearch);
if (FAILED(hr)) {
    wprintf(L"failed to get IDirectorySearch: 0x%x\n", hr);
    goto cleanup;

Quote:}

// Specify the scope, pagesize, and tombstone search preferences.
arSearchPrefs [0].dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
arSearchPrefs [0].vValue.dwType = ADSTYPE_INTEGER;
arSearchPrefs [0].vValue.Integer = ADS_SCOPE_SUBTREE;

arSearchPrefs [1].dwSearchPref = ADS_SEARCHPREF_PAGESIZE;
arSearchPrefs [1].vValue.dwType = ADSTYPE_INTEGER;
arSearchPrefs [1].vValue.Integer = 100;

arSearchPrefs [2].dwSearchPref = ADS_SEARCHPREF_TOMBSTONE;
arSearchPrefs [2].vValue.dwType = ADSTYPE_BOOLEAN;
arSearchPrefs [2].vValue.Boolean = TRUE;

hr = pSearch->SetSearchPreference(arSearchPrefs, 3);
if (FAILED(hr)) {
    wprintf(L"failed to set search prefs: 0x%x\n", hr);
    goto cleanup;

Quote:}

// Set up the search filter.
swprintf(szSearchFilter,
         L"(&(isDeleted=TRUE)(uSNChanged>=%I64d))",
         iLowerBoundUSN );

// Execute the search.
hr = pSearch->ExecuteSearch(szSearchFilter,
                    pAttributeNames, dwAttributes, &hSearch );
if (FAILED(hr)) {
    wprintf(L"failed to set execute search: 0x%x\n", hr);
    goto cleanup;

Quote:}

wprintf(L"Started search for deleted objects.\n");

// Loop through the rows of the search result.
// Each row is an object that was deleted since the previous call.
dwCount = 0;
hr = pSearch->GetNextRow( hSearch);
while ( SUCCEEDED(hr) && hr != S_ADS_NOMORE_ROWS )
{
    ZeroMemory(&userdata, sizeof(MyUserData) );

    // Get the distinguishedName.
    hr = pSearch->GetColumn( hSearch, L"distinguishedName", &col );
    if ( SUCCEEDED(hr) ) {
       if (col.dwADsType == ADSTYPE_DN_STRING && col.pADsValues)
          wcscpy(userdata.distinguishedName,
col.pADsValues->DNString);
       pSearch->FreeColumn( &col );
    }

    // Get the objectGUID number.
    hr = pSearch->GetColumn( hSearch, L"objectGUID", &col );
    if ( SUCCEEDED(hr) ) {
        if ((col.dwADsType == ADSTYPE_OCTET_STRING) && col.pADsValues
&&
            (col.pADsValues->OctetString.lpValue))
        {
            BuildGUIDString(szGUID, (LPBYTE)
col.pADsValues->OctetString.lpValue);
            wcscpy(userdata.objectGUID, szGUID);
        }
        pSearch->FreeColumn( &col );
    }

    // If the objectGUID of a deleted object matches an objectGUID in
    // our secondary storage, delete the object from our storage.
    DeleteObjectDataFromStorage(&userdata);
    dwCount++;
    hr = pSearch->GetNextRow( hSearch);

Quote:}

wprintf(L"deleted dwCount: %d\n", dwCount);

Is there any restrictions on who can execute the search?
permissions/rights/policies?

TIA

 
 
 

rights/permission to search for tombstone objects via ADSI

Post by vun » Sun, 28 Apr 2002 03:43:04


I'm having some problem with doing a tombstones search...
unless I am authenticated with active directory via an
admin account
or an account whose "Member Of" includes either the Addmin
or Domain
Addmin group (I have not tried all others), the search
seems to always
return no tombstone!

my code is based on MSDN sample "Example Code to Retrieve
Changes
Using USNChanged"

below is a simplified snippet of my code

this is how I get the rootDSE interface

// Bind to root DSE.
wcscpy(szDSPath, szServerPath);
wcscat(szDSPath, L"rootDSE");
hr = ADsOpenObject(szDSPath,

                 "someone'spassword",
                 ADS_SECURE_AUTHENTICATION,
                 IID_IADs,
                 (void**)&pRootDSE);
if (FAILED(hr)) {
    wprintf(L"failed to bind to root: 0x%x\n", hr);
    goto cleanup;

Quote:}

// Bind to the Deleted Objects container.
hr = pRootDSE->Get(L"defaultNamingContext",&var);
swprintf(szDSPath,
         L"%s<WKGUID=%s,%s>",
         szServerPath, GUID_DELETED_OBJECTS_CONTAINER_W,
var.bstrVal);
VariantClear(&var);
hr = ADsOpenObject(szDSPath,

                 "someone'spassword",
                 ADS_SECURE_AUTHENTICATION |
ADS_FAST_BIND,
                 IID_IDirectorySearch,
                 (void**)&pSearch);
if (FAILED(hr)) {
    wprintf(L"failed to get IDirectorySearch: 0x%x\n", hr);
    goto cleanup;

Quote:}

// Specify the scope, pagesize, and tombstone search
preferences.
arSearchPrefs [0].dwSearchPref =
ADS_SEARCHPREF_SEARCH_SCOPE;
arSearchPrefs [0].vValue.dwType = ADSTYPE_INTEGER;
arSearchPrefs [0].vValue.Integer = ADS_SCOPE_SUBTREE;

arSearchPrefs [1].dwSearchPref = ADS_SEARCHPREF_PAGESIZE;
arSearchPrefs [1].vValue.dwType = ADSTYPE_INTEGER;
arSearchPrefs [1].vValue.Integer = 100;

arSearchPrefs [2].dwSearchPref = ADS_SEARCHPREF_TOMBSTONE;
arSearchPrefs [2].vValue.dwType = ADSTYPE_BOOLEAN;
arSearchPrefs [2].vValue.Boolean = TRUE;

hr = pSearch->SetSearchPreference(arSearchPrefs, 3);
if (FAILED(hr)) {
    wprintf(L"failed to set search prefs: 0x%x\n", hr);
    goto cleanup;

Quote:}

// Set up the search filter.
swprintf(szSearchFilter,
         L"(&(isDeleted=TRUE)(uSNChanged>=%I64d))",
         iLowerBoundUSN );

// Execute the search.
hr = pSearch->ExecuteSearch(szSearchFilter,
                    pAttributeNames, dwAttributes,
&hSearch );
if (FAILED(hr)) {
    wprintf(L"failed to set execute search: 0x%x\n", hr);
    goto cleanup;

Quote:}

wprintf(L"Started search for deleted objects.\n");

// Loop through the rows of the search result.
// Each row is an object that was deleted since the
previous call.
dwCount = 0;
hr = pSearch->GetNextRow( hSearch);
while ( SUCCEEDED(hr) && hr != S_ADS_NOMORE_ROWS )
{
    ZeroMemory(&userdata, sizeof(MyUserData) );

    // Get the distinguishedName.
    hr = pSearch->GetColumn( hSearch,
L"distinguishedName", &col );
    if ( SUCCEEDED(hr) ) {
       if (col.dwADsType == ADSTYPE_DN_STRING &&
col.pADsValues)
          wcscpy(userdata.distinguishedName,
col.pADsValues->DNString);
       pSearch->FreeColumn( &col );
    }

    // Get the objectGUID number.
    hr = pSearch->GetColumn( hSearch, L"objectGUID",
&col );
    if ( SUCCEEDED(hr) ) {
        if ((col.dwADsType == ADSTYPE_OCTET_STRING) &&
col.pADsValues
&&
            (col.pADsValues->OctetString.lpValue))
        {
            BuildGUIDString(szGUID, (LPBYTE)
col.pADsValues->OctetString.lpValue);
            wcscpy(userdata.objectGUID, szGUID);
        }
        pSearch->FreeColumn( &col );
    }

    // If the objectGUID of a deleted object matches an
objectGUID in
    // our secondary storage, delete the object from our
storage.
    DeleteObjectDataFromStorage(&userdata);
    dwCount++;
    hr = pSearch->GetNextRow( hSearch);

Quote:}

wprintf(L"deleted dwCount: %d\n", dwCount);

Is there any restrictions on who can execute the search?
permissions/rights/policies?

TIA