What permissions are needed to get groups from Active Directory?

I’m trying to set up Octopus to use our Active Directory groups to manage team memberships. We can all successfully authenticate, and I can add groups to a team so things are going pretty well. But the group permissions don’t actually work for any nested groups.

I ran this code snippet from an Octopus help article and it is throwing an error enumerating the groups returned by GetAuthorizationGroups:

System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist.

If I run that script as a Domain Admin then everything works perfectly. I take that to mean that the user I’m running Octopus as is missing some permissions. But which ones? Which permissions does the Octopus user need to get groups via GetAuthorizationGroups?

Our wonderful sysadmin got this working by restoring some default permissions that were absent in our AD for complicated reasons. We were missing READ permissions to Authenticated Users on the standard Users container in Active Directory.


Thanks for getting in touch, and great to hear that you were able to find a solution to your issue!

Please don’t hesitate to contact us again if you run into any other problems.

Thank you and best regards,