I have created some custom attributes for users inside of Active Directory and have also created a basic account to use to login to AD so it can read these attributes, as well as the standard ones in AD.
I have assigned the user to "Domain Users" but the user can only read the standard attributes and non of the custom ones. What explicit permission do I need to give this user so it can read the custom attributes from AD?
If you look at the Security tab of an object in AD you'll see that Domain Users don't have any explicit permissions. What every user does have though is membership in the Authenticated Users group and the Everyone group (which are special security principals and aren't true groups and can't be managed as such). If you look at the permissions on an AD object for those two groups you'll see what permissions they have on those objects. What you probably want to do is to use the Delegation of Control wizard (scoped to the appropriate Container or OU) to grant your user Read all user information.
This highly depends on your AD setup and eventually made customizations on inheritance etc.
Make sure that the user / group that should be able to read the attributes have this access granted on the destination nodes (either direct or propably better via inheritance). To setup access go to your desired nodes (e.g. OU) in the ad and add read access for the attributes in question to the desired users/groups (via security setup on the target).
