Active Directory LDAP, Elevated permissions to read groups..?

Question

I have a test utility written in C#. using System.DirectoryServices.AccountManagement; I am creating a PrincipalContext connection to Active Directory on a remote machine from a virtual server (LDAP).

I am 100% able to connect to active directory, and authenticate using a username and password (UserPrincipal.FindByIdentity, and then context.ValidateCredentials).

But I cannot read the groups. It pulls back the default ones , like Domain Users. If I run the utility as a local administrator of the virtual server (not a user that exists in AD), then suddenly I can get all the specified user's groups from Active Directory using the same exact parameters.

How is that possible? What am I missing?

My code follows, though I believe the problem is entirely unrelated to code, as mentioned, it works fine when running elevated.

                g_context = new PrincipalContext(ContextType.Domain, this.USERDOMAIN);
                g_principal = UserPrincipal.FindByIdentity(g_context, IdentityType.SamAccountName, this.USERNAME);
                this.g_entry = (DirectoryEntry)g_principal.GetUnderlyingObject();
                this.AUTHENTICATED = g_context.ValidateCredentials(this.USERNAME, this.USERPASS);

That's the setup. Then we later use the g_context..

List<String> memberships=GetGroups(this.g_principal, true); // get a list of all possible groups for user

a call to a recursive group scanning function..

private List<String> GetGroups(Principal source, bool debug, int depth=0, List<String> resultset=null) {
            if (resultset==null) resultset = new List<String>();
            depth++;
            foreach (GroupPrincipal group in source.GetGroups()) {
                if (!resultset.Contains(group.Name)) {
                    resultset.Add(group.Name);
                    if (debug) {
                        log.Debug((String.Join("\t",new String[depth-1]))+"Located group("+group.Name+") at depth: "+depth);
                    }
                    resultset=GetGroups(group, debug, depth, resultset);
                }
            }
            return resultset;
        }

When run as administrator, AD responds with all possible group memberships of the username. When not running as elevated program, AD responds with fewer groups (only the basic ones).

Any suggestions on where I need to dig for a solution? is there some hidden local policy on a virtual windows machine o/s, that hides active directory data on ldap connections for non-admins?

Answer 1

Found problem, basically AD 2008 / earlier doesn't (apparently) respond with all the groups when requested from a non admin user (or something like that). Had to use a different approach..

SearchResult entry scanning for [cn] property Filter = String.Format("(&(objectCategory=group)(member={0}))", user.DistinguishedName);

or use the System.Security.Principal.WindowsIdentity which has a groups collection to loop over.

both of which work fine.