Re: Account Permissions to query Active Directory

From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Apr 2006 21:29:56 -0500

This is a difficult question in general because AD allows such flexible
delegation of permissions. Typically, I'd expect someone in the
Authenticated Users group in AD to be able to read the AzMan objects in the
directory. However, your admins might have delegated the permissions such
that only specific users can read them. As such, a solution that works for
me might not work for you.

Assuming that the app works fine when used with a domain user who doesn't
have any special permissions but does not work when configured with Network
Service (which uses the computer account when accessing the network), it may
be the case that Domain Users have rights to read these objects, but not
Domain Computers. You might try examining the ACLs on the AzMan objects and
containers and see what you can tell.

Best of luck,

Joe K.

"Keith F." <KeithF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7E7AA1A9-FA98-4A31-979E-8D75E704D24F@xxxxxxxxxxxxxxxx

I'm working with my windows tech support guy on trying to give an ASP.NET
2.0
web app I built, adequate permissions so it can query active directory for
user roles created using Authorization Manager.
If we go into the application pool properties on the web server, and on
the
Identity tab, select configurable identity, and put in my tech guy's
username
and password, the app works fine. I can use the IsInRole method, etc.
We've tried creating a special account just for this, but we haven't been
able to figure out exactly what permission this account needs to access
active directory.
Can anyone tell me how to set the permissions to allow a least privledge
account to query active directory? or point me to a link that would help?
(Note: I'm using the AuthorizationStoreRoleProvider in my web.config)
Thanks,
KF

Prev by Date: Re: Account Permissions to query Active Directory
Next by Date: Setting Impersonation Level at Runtime
Previous by thread: Re: Account Permissions to query Active Directory
Next by thread: Setting Impersonation Level at Runtime
Index(es):
- Date
- Thread

Relevant Pages

Re: Custom rights
... Try giving user who is adding account View Only Exchange Administrator ... >> To add computers to the domain go to AD Users and Computers. ... you will have to manually configure permissions on that user object ... >>> Look into AD delegation, though you may need to do some custom ...
(microsoft.public.win2000.security)
Re: Delegation issue
... or even by making them Account Operators for the entire ... change the folder/files permissions and shutdown the server system. ... on NTFS objects. ... Delegation wizard will do what you want probably. ...
(microsoft.public.windows.server.active_directory)
Re: Incoming E-Mail - cant create contact in OU
... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
(microsoft.public.sharepoint.windowsservices)
Re: Incoming E-Mail - cant create contact in OU
... account out of local administrator to attempt to find any denied ... I then added full permissions to my user account on both of these keys, ... that's for every app pool you create for every new web app on the ... local admin rights to the server hosting incoming email. ...
(microsoft.public.sharepoint.windowsservices)
Re: User Access Denied With DHCP Admin. Group?
... There are two main ways of delegating control in Active Directory - using ... permissions on the object or parent object. ... through the Delegation of Control Wizard or the Sites and Services advanced ...
(microsoft.public.windows.server.active_directory)