When querying with LDAP against our Active Directory structure to look up user accounts, some records (but not all) are missing certain key fields, specifically memberOf and userAccountControl (which has a bit flag that indicates whether the account is disabled or not).

Here’s a few refining details:

• If the query is set to filter on any of those fields (such as getting a list of non-disabled accounts in the Marketing department group), they disappear from the result set (since as far as AD is concerned, they’re missing).

• If the query is performed with a highly-privileged domain admin account, the query works just fine.

• The records with the problem is about 1/4 – 1/3 of the total user records. Most do seem to be newer records (we thought for a time that it was perhaps related to upgrading to 2003 on the domain controller server), although some older records seem affected as well.

• A cursory look over two similar records, one whose entire record is viewable by any account, and another which isn’t doesn’t show any obvious differences.

So my best guess is that there’s some sort of permission deny set (perhaps at the schema level?) which makes certain fields restricted. I should note that the domain administrators never knowingly set any such permissions.

UPDATE/RESOLUTION: ADSI Edit (in Windows 2003 Support Tools) helped me to nail it down to a change in the default permissions on the Authenticated User role. For some people, the role contained the Read Account Restrictions (which contains userAccountControl) and Read Group Membership (memberOf), and for others it didn’t.

The original cause of the difference still isn’t clear, although the fact that most of the ‘bad’ records were created after a switch to Windows 2003 for the Domain Controller, that could be a factor.

SOLUTION: This is still a bit undecided, but will most likely be an updated Group Policy, combined with a script to update existing accounts.