I have an ASP.NET application that uses System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity (PrincipalContext, String) method to get a group principal object. When the code runs under an AD account that has the "Read All Properties"
permission for an AD global security group then the corresponding group principal object can be instantiated without problems. However, this "Read All Properties" permission consists of fifty or so more detailed permissions to read properties like "Name",
"Description", "msExchLabeledURI" and so on. Some of these properties can be locked down for some AD accounts and I found that GroupPrincipal.FindByIdentity method may return a NULL in such cases. Is there a minimum set of group properties an AD account
should have the Read permission to so the FindByIdentity method could instantiate the corresponding GroupPrincipal object?
Thanks in advance!
View Complete Post