Directory Programming .NET

Hi

I've done a bit of searching and been unable to unearth or understand a definite answer.

Currently i have an asp.net project running on IIS7 and the application pool is running under the Network Service account. In this project i need to get a list of the users groups (including nested). I had some success with the GetAuthorisation groups method using a principal context, but this doesnt work on all of my customers sites.

I then went to use the tokenGroups method which i've also got working. But i am struggling to get it working at a particular site.

When i do a query for the users attribute or use the user.refreshCache method it does not work. The only way i can get it to work is if my client enters his domain admin credentials.

So my question is how can i get the website or the Web servers Network Service account to have permissions to retrieve the tokenGroups attribute?

John,

Then network service account acts on behalf of the servers machine account (which may or may not be a member of a domain). My guess is that your code is running on a machine that is not a member of (or is not trusted by) the domain which holds the user objects you are looking for.

My suggestion would be to use a domain account/service account with read permissions for your application pool.

Hi I have attempted using a domain account that is a member of a group that has full read permissions in Active Directory Users and Computers. A domain admin account can retrieve the attribute but the domain account i use can not. Is there a specific requirement for reading the attribute in ADUC?