Checking write access on AD attributes (allowedAttributesEffective is empty)

Question

A follow-up to How can I check if a user has write rights in Active Directory using C#?

I ran this to grant the user write access to an attribute:

dsacls "OU=Users,OU=OrgABC,DC=foo,DC=local" /G "FOO\example.user:WP;title;user" /I:S

The goal is to allow a user to have write access to an attribute for all users in an OU. Through ADUC, I can indeed write to that attribute. The Effective Access tab shows the user can read both allowedAttributes and allowedAttributesEffective.

Just like the referenced question, I call RefreshCache then de.Properties["allowedAttributesEffective"]. As a domain admin, it returns attributes. As a domain user, it is empty. I believe constructed attributes are not replicated, but I don't think that should matter here. Just to be safe, I manually pointed to the same DC for all my tests (and everything remained the same).

What am I missing?

score 0 · Answer 1 · answered Aug 05 '22 at 20:54

It shows up if using DirectorySearcher:

...
de.PropertiesToLoad.Add("allowedAttributesEffective")
searcher.FindAll()
...

Of course, I have to run a search, but this seems to fit what I'm doing. This may not be an answer for some, I'd still love to know why RefreshCache doesn't work.

Checking write access on AD attributes (allowedAttributesEffective is empty)

1 Answers1