Access level needed to look up username

[sqlboy2000]

Hi all,
I'm currently using the following call to look up a user's windows Full Name
from the domain controller:

Dim strFilter = "(&(sAMAccountname=" & strUser &
")(objectClass=user))"
Dim objEntry As New DirectoryEntry("LDAP://myDC", "user", "password")
Dim search As New DirectorySearcher(objEntry)
search.Filter = strFilter
Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
Label1.Text = result.Properties("displayName").Value

This works fine, but my question is what are the minimum rights the user
account would need to look this value up? Do you need to be a domain admin to
access the user object and look up the Full Name?

I'm trying to set up an account with the least rights possible to lookup a
Full Name.

Thanks.

 

[Joe Kaplan \(MVP - ADSI\)]

This depends on the security settings on your AD, but in general a normal
domain user will be able to read displayName on most users.

I'd also recommend specifying AuthenticationTypes.Secure on your DE
constructor and suggest reading the displayName the SearchResult directly
rather than getting the DE via GetDirectoryEntry. It will be faster (fewer
round trips). You need to add "displayName" to PropertiesToLoad to have it
be in the SearchResult.

HTH,

Joe K.

 

[sqlboy2000]

Thanks for the info.

This depends on the security settings on your AD, but in general a normal
domain user will be able to read displayName on most users.

I'd also recommend specifying AuthenticationTypes.Secure on your DE
constructor and suggest reading the displayName the SearchResult directly
rather than getting the DE via GetDirectoryEntry. It will be faster (fewer
round trips). You need to add "displayName" to PropertiesToLoad to have it
be in the SearchResult.

HTH,

Joe K.