The reason I mentioned the App Pool is because if you use the elevated privileges block, that's the credentials you code will run as. So if it works for that account, assuming you haven't granted your application pool any additional Active Directory permissions above a normal user, then I would assume that one of your users has sufficient permission to query the users of a specific AD group (I could be wrong). Have you tried running this as a normal user and using current credentials rather than specifying them? If that doesn't work, secure store is probably a good option. Callum From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Paul Noone Sent: Monday, 7 May 2012 11:44 AM To: 'ozMOSS' Subject: RE: Elevate privileges for LDAP query
Hi Callum, I'm interrogating AD security groups for their membership. Not SharePoint groups. I'm not passing in app pool credentials, but another service account with sufficient privs via the web part properties. I guess the secure store is an option. I haven't looked at that yet. From: ozmoss-boun...@ozmoss.com<mailto:ozmoss-boun...@ozmoss.com> [mailto:ozmoss-boun...@ozmoss.com]<mailto:[mailto:ozmoss-boun...@ozmoss.com]> On Behalf Of Callum Bundy Sent: Monday, 7 May 2012 11:17 AM To: ozMOSS Subject: RE: Elevate privileges for LDAP query Also, are your web part users AD users? I would have thought they would have permission to see who was in the groups without the need for elevation. Rather than giving your application pool greater access to AD (if that's necessary to show group members), why not keep the credentials in the secure store? If they are forms users and have no access to AD, either way should work (secure store/elevated) Callum From: ozmoss-boun...@ozmoss.com<mailto:ozmoss-boun...@ozmoss.com> [mailto:ozmoss-boun...@ozmoss.com]<mailto:[mailto:ozmoss-boun...@ozmoss.com]> On Behalf Of Paul Noone Sent: Monday, 7 May 2012 10:56 AM To: 'ozMOSS (ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com>)' Subject: Elevate privileges for LDAP query Hi all, I have a web part which displays a drill-down tree view of AD security group members. I'm currently passing credentials through in the wp properties at page load like so: protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { if (!ScriptManager.GetCurrent(Page).IsInAsyncPostBack) { DirectoryEntry ldapConn = new DirectoryEntry(DCName); ldapConn.Path = "LDAP://" + ldapQuery; ldapConn.Username = username; ldapConn.Password = password; ldapConn.AuthenticationType = AuthenticationTypes.Secure; I was wondering if I could achieve this without having to explicitly supply credentials by using elevated privileges. Any recommendations? Kind regards, Paul
_______________________________________________ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss