"GetAuthorizationGroups" throws exception when reading groups for user from Active Directory

Question

I'm trying to find groups via GetAuthorizationGroups, and it's sort of working in that I can get an IEnumerable back, but most of the items I get back throw an exception when I try to read them:

System.Runtime.InteropServices.COMException:
The specified directory service attribute or value does not exist.

If you plug in your own domain, container, and username, you should get a list of their groups:

Powershell:

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement")
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.ActiveDirectory")

$username = "a-user-such-as-yourself"

$principalContext = new-object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext "Domain", "yourADdomain.com", "OU=whatever,OU=andever,DC=yourADdomain,DC=com"

$principal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($principalContext, $username)

$groups = $principal.GetAuthorizationGroups()
Write-Output $groups

If I ignore all the exceptions, it successfully returns the groups "Everyone", "Authenticated Users", and a couple more, but throws an exception on others.

If I run this as a Domain Admin it works fine, returning all groups without any exceptions.

So I'm assuming that the user running this needs some sort of permission in Active Directory. But which one?

Answer 1

Our wonderful sysadmin got this working by restoring some default permissions that were absent in our AD for complicated reasons. We were missing READ permissions to Authenticated Users on the standard Users container in Active Directory.