[cifs-protocol] behavior of windows with/without the DS-Replication-Get-Changes-In-Filtered-Set right

Matthieu Patou mat at samba.org
Mon Jan 31 15:35:16 MST 2011

Dear doc team,

This page, 
http://msdn.microsoft.com/en-us/library/cc223347%28v=prot.10%29.aspx, says:

"If the flag is not specified, the server MUST do the following:
If the server is running Windows Server® 2008 operating system or 
Windows Server® 2008 R2 operating system and the client has requested 
any attributes in the filtered attribute set, the server checks that the 
client has the DS-Replication-Get-Changes-In-Filtered-Set control access 
right (section 
or else returns the /insufficientAccessRights/ error to the client."

The flag that we are talking about is LDAP_SERVER_DIRSYNC_OID.
I either have some problems to understand the meaning of "requested any 
attributes in the filtered attribute set" or I have problems requesting 
them or something else as I'm unable to test this particular case.

In w2k8r2 I created a user and granted him DS-Replication-Get-Changes, 
but not DS-Replication-Get-Changes-In-Filtered-Set so I'm expecting that 
when I add the filter "(samaccountname=ad*)", in the ldap request, that 
the system will reject my request but it's not so I'm wondering what is 
exactly "the filtered attribute set" ? Can you clarify this point ?


Matthieu Patou.

Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the cifs-protocol mailing list