I'm using the System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext, String) method to get a GroupPrincipal object. When the code runs under an AD account that has the "Read All Properties" permission for an AD global security group then the corresponding GroupPrincipal object can be instantiated. However, this "Read All Properties" permission consists of fifty or so more detailed permissions to read group properties like "Name", "Description", "msExchLabeledURI" and so on. Some of these properties can be locked down for some AD accounts and I found that GroupPrincipal.FindByIdentity method can return a NULL in such cases. Is there a minimum set of group properties an AD account should have the Read permission to so the FindByIdentity method could instantiate the corresponding GroupPrincipal object?
View Complete Post