Windows and Windows Server have User Account Control, which has ramifications for applications that use Active Directory Service Interfaces (ADSI). Specifically, these interfaces were designed to be run by a user account with administrator privileges on the local computer.
Problem
Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer. In versions of Windows prior to Windows Vista, the default location for this cache was
%systemroot%\SchCache\
However, applications run by standard (that is, non-administrator) accounts will not have access to this directory, and consequently, applications that use ADSI interfaces that are run in this mode will download the schema on every connection, which will impact throughput and performance.
Solutions
Single user - To resolve this issue, there are new ADSI Provider registry control keys that determine the registry locations and file locations for cached Active Directory Schema objects. If the registry key
These settings are the default settings on computers running Windows Server 2008 or Windows Vista.
Multi-user - If you are running ADSI applications on a computer with many user accounts (for example, a web server), then it's preferable not to have many copies of the Active Directory Schema cache using up large amounts of disk space. Setting the registry key
to 1 (one) will revert ADSI to the previous behavior; all Active Directory Schema objects will be stored in their previous locations; the registry key will be in
In this case, administrator accounts should run the application, which will cause the schema file to be cached in the global location for future use by the less privileged users.
Protect your Active Directory environment by securing user accounts to least privilege and placing them in the Protected Users group. Learn how to limit authentication scope and remediate potentially insecure accounts.