«

Hi all,
I'm currently using the following call to look up a user's windows Full Name
from the domain controller:

Dim strFilter = "(&(sAMAccountname=" & strUser &
")(objectClass=user))"
Dim objEntry As New DirectoryEntry("LDAP://myDC", "user", "password")
Dim search As New DirectorySearcher(objEntry)
search.Filter = strFilter
Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
Label1.Text = result.Properties("displayName").Value

This works fine, but my question is what are the minimum rights the user
account would need to look this value up? Do you need to be a domain admin to
access the user object and look up the Full Name?

I'm trying to set up an account with the least rights possible to lookup a
Full Name.

Thanks.

This depends on the security settings on your AD, but in general a normal
domain user will be able to read displayName on most users.

I'd also recommend specifying AuthenticationTypes.Secure on your DE
constructor and suggest reading the displayName the SearchResult directly
rather than getting the DE via GetDirectoryEntry. It will be faster (fewer
round trips). You need to add "displayName" to PropertiesToLoad to have it
be in the SearchResult.

HTH,

Joe K.

"sqlboy2000" <> wrote in message
news:91D0D992-A542-4B51-935F-...
> Hi all,
> I'm currently using the following call to look up a user's windows Full
> Name
> from the domain controller:
>
> Dim strFilter = "(&(sAMAccountname=" & strUser &
> ")(objectClass=user))"
> Dim objEntry As New DirectoryEntry("LDAP://myDC", "user",
> "password")
> Dim search As New DirectorySearcher(objEntry)
> search.Filter = strFilter
> Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
> Label1.Text = result.Properties("displayName").Value
>
> This works fine, but my question is what are the minimum rights the user
> account would need to look this value up? Do you need to be a domain admin
> to
> access the user object and look up the Full Name?
>
> I'm trying to set up an account with the least rights possible to lookup a
> Full Name.
>
> Thanks.

Thanks for the info.

"Joe Kaplan (MVP - ADSI)" wrote:

> This depends on the security settings on your AD, but in general a normal
> domain user will be able to read displayName on most users.
>
> I'd also recommend specifying AuthenticationTypes.Secure on your DE
> constructor and suggest reading the displayName the SearchResult directly
> rather than getting the DE via GetDirectoryEntry. It will be faster (fewer
> round trips). You need to add "displayName" to PropertiesToLoad to have it
> be in the SearchResult.
>
> HTH,
>
> Joe K.
>
> "sqlboy2000" <> wrote in message
> news:91D0D992-A542-4B51-935F-...
> > Hi all,
> > I'm currently using the following call to look up a user's windows Full
> > Name
> > from the domain controller:
> >
> > Dim strFilter = "(&(sAMAccountname=" & strUser &
> > ")(objectClass=user))"
> > Dim objEntry As New DirectoryEntry("LDAP://myDC", "user",
> > "password")
> > Dim search As New DirectorySearcher(objEntry)
> > search.Filter = strFilter
> > Dim result As DirectoryEntry = search.FindOne.GetDirectoryEntry
> > Label1.Text = result.Properties("displayName").Value
> >
> > This works fine, but my question is what are the minimum rights the user
> > account would need to look this value up? Do you need to be a domain admin
> > to
> > access the user object and look up the Full Name?
> >
> > I'm trying to set up an account with the least rights possible to lookup a
> > Full Name.
> >
> > Thanks.
>
>
>