Access level needed to look up username

Discussion in 'ASP .Net Security' started by sqlboy2000, Sep 15, 2005.

  1. sqlboy2000

    sqlboy2000 Guest

    Hi all,
    I'm currently using the following call to look up a user's windows Full Name
    from the domain controller:

    Dim strFilter = "(&(sAMAccountname=" & strUser &
    ")(objectClass=user))"
    Dim objEntry As New DirectoryEntry("LDAP://myDC", "user", "password")
    Dim search As New DirectorySearcher(objEntry)
    search.Filter = strFilter
    Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
    Label1.Text = result.Properties("displayName").Value

    This works fine, but my question is what are the minimum rights the user
    account would need to look this value up? Do you need to be a domain admin to
    access the user object and look up the Full Name?

    I'm trying to set up an account with the least rights possible to lookup a
    Full Name.

    Thanks.
     
    sqlboy2000, Sep 15, 2005
    #1
    1. Advertising

  2. This depends on the security settings on your AD, but in general a normal
    domain user will be able to read displayName on most users.

    I'd also recommend specifying AuthenticationTypes.Secure on your DE
    constructor and suggest reading the displayName the SearchResult directly
    rather than getting the DE via GetDirectoryEntry. It will be faster (fewer
    round trips). You need to add "displayName" to PropertiesToLoad to have it
    be in the SearchResult.

    HTH,

    Joe K.

    "sqlboy2000" <> wrote in message
    news:...
    > Hi all,
    > I'm currently using the following call to look up a user's windows Full
    > Name
    > from the domain controller:
    >
    > Dim strFilter = "(&(sAMAccountname=" & strUser &
    > ")(objectClass=user))"
    > Dim objEntry As New DirectoryEntry("LDAP://myDC", "user",
    > "password")
    > Dim search As New DirectorySearcher(objEntry)
    > search.Filter = strFilter
    > Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
    > Label1.Text = result.Properties("displayName").Value
    >
    > This works fine, but my question is what are the minimum rights the user
    > account would need to look this value up? Do you need to be a domain admin
    > to
    > access the user object and look up the Full Name?
    >
    > I'm trying to set up an account with the least rights possible to lookup a
    > Full Name.
    >
    > Thanks.
     
    Joe Kaplan \(MVP - ADSI\), Sep 16, 2005
    #2
    1. Advertising

  3. sqlboy2000

    sqlboy2000 Guest

    Thanks for the info.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > This depends on the security settings on your AD, but in general a normal
    > domain user will be able to read displayName on most users.
    >
    > I'd also recommend specifying AuthenticationTypes.Secure on your DE
    > constructor and suggest reading the displayName the SearchResult directly
    > rather than getting the DE via GetDirectoryEntry. It will be faster (fewer
    > round trips). You need to add "displayName" to PropertiesToLoad to have it
    > be in the SearchResult.
    >
    > HTH,
    >
    > Joe K.
    >
    > "sqlboy2000" <> wrote in message
    > news:...
    > > Hi all,
    > > I'm currently using the following call to look up a user's windows Full
    > > Name
    > > from the domain controller:
    > >
    > > Dim strFilter = "(&(sAMAccountname=" & strUser &
    > > ")(objectClass=user))"
    > > Dim objEntry As New DirectoryEntry("LDAP://myDC", "user",
    > > "password")
    > > Dim search As New DirectorySearcher(objEntry)
    > > search.Filter = strFilter
    > > Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
    > > Label1.Text = result.Properties("displayName").Value
    > >
    > > This works fine, but my question is what are the minimum rights the user
    > > account would need to look this value up? Do you need to be a domain admin
    > > to
    > > access the user object and look up the Full Name?
    > >
    > > I'm trying to set up an account with the least rights possible to lookup a
    > > Full Name.
    > >
    > > Thanks.

    >
    >
    >
     
    sqlboy2000, Sep 21, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stefan
    Replies:
    0
    Views:
    1,808
    Stefan
    Apr 15, 2004
  2. inhahe
    Replies:
    3
    Views:
    2,412
    Diez B. Roggisch
    Jan 28, 2005
  3. pabbu
    Replies:
    8
    Views:
    739
    Marc Boyer
    Nov 7, 2005
  4. Shailesh Patel
    Replies:
    0
    Views:
    476
    Shailesh Patel
    Nov 8, 2006
  5. Replies:
    4
    Views:
    181
Loading...

Share This Page