Depending on the Active Directory installation, you may need to make some changes. The simplest configuration is to allow Domain Computer accounts from all domains to read the attributes listed below for "Computer Objects", "User Objects", and "Group Objects". Computer accounts should not have "write" access to these attributes.

For Windows 2000 Default Schemas

c
cn
company
dNSHostName
department
description
displayName
driverName
facsimileTelephoneNumber
givenName
homeDirectory
homeDrive
l
lastLogoff
lastLogon
location
mail
mailNickname
mobile
pager
physicalDeliveryOfficeName
postalAddress
postalCode
primaryGroupID
printerName
profilePath
pwdLastSet
rid
sAMAccountName
sAMAccountType
scriptPath
sn
st
street
streetAddress
telephoneNumber
title
url
userPrincipalName
userWorkstations

For Apple Schema extensions

For Schemas that have been extended to support Apple Schema extensions, all the following attributes should be readable for all record types:

apple-category
apple-computeralias
apple-computer-list-groups
apple-computers
apple-data-stamp
apple-dnsname
apple-dns-domain
apple-dns-nameserver
apple-group-homeowner
apple-group-homeurl
apple-home-directory
apple-imhandle
apple-keyword
apple-mcxflags
apple-mcxsettings
apple-mountDirectory
apple-mountDumpFrequency
apple-mountOption
apple-mountPassNo
apple-mountType
apple-service-location
apple-service-port
apple-service-type
apple-service-url
apple-user-class
apple-user-authenticationhint
apple-user-homequota
apple-user-homesoftquota
apple-user-homeurl
apple-user-mailattribute
apple-user-picture
apple-user-printattribute
apple-webloguri
apple-xmlplist
gidNumber
ipHostNumber
loginShell
macAddress
uidNumber
ttl