LDAP search returns no entries for hidden or deleted objects

Using LDAP with Simple Authentication and appending cn=Admin to the username does not return hidden or deleted objects.

The use of cn=Admin is discussed briefly in the Microsoft TechNet documentation in the following white paper:

"Active Directory Service Interfaces in the Microsoft Exchange 5.5 Environment"

To view the whitepaper, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/exchange/55/support/adsi.mspx

During an attempt by the Microsoft Exchange Server directory Service to determine whether the user who is logged on has View Only Admin rights (or greater), a Windows NT system call fails, which causes the user to be denied the right to view hidden and deleted objects.

The system service attempts to access a thread token, and the Discretionary Access Control List (DACL) on the impersonated thread may vary based on the type of impersonation. (For instance, whether ImpersonateLoggedOnUser() or ImpersonateNamedPipeClient() was called.)

For basic authentication (required in order to pass the cn=Admin argument), the thread token was inaccessible to the impersonated client.

To work around this problem, make the Exchange Server Service account a member of the Local Administrators group.