[ActiveDir] read PasswordLastChanged question

[Rich Milburn]

Title: Message

Given this scenario - a user logs in to a Portal, the Portal then checks his/her authentication against AD 2003 in order to verify the user/password combination is valid in AD, and then the Portal creates a token for its own purposes of navigating through the Portal (as opposed to using AD credentials to determine authorization) – if you wanted to then retrieve the PasswordLastChanged property of that user object without making the user log in again then you’d either have to run the process as a user for the LDAP query against AD, or grant ANONYMOUS read privilege to User-password.whenChanged, plus maybe other things – I’ve never tried anonymous queries against AD.  I think (is this right?)   I’m thinking we don’t want to change the permissions, so if we use a restricted user account, shouldn’t we be able to read any user object’s PasswordLastChanged property (Authenticated Users have Read permissions on most all properties, as far as I could determine)?  Are there any gotcha’s I should be aware of, and am I missing anything here?   Thanks       Rich Milburn MCSE, MS MVP           -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.