Article ID: 320528 - View products that this article applies to.
This article was previously published under Q320528
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
Many environments require you to make anonymous queries to Active Directory. For example, you may have to make anonymous queries to return e-mail addresses. You can configure Active Directory to allow these queries.
This article describes how to configure Active Directory to support anonymous queries even though allowing anonymous queries can weaken the security of Active Directory. Use caution when you apply permissions to Active Directory because a misconfiguration may allow non-authenticated users to query for secure information. As a general rule, only give the Anonymous Logon account the permissions that are required to perform the anonymous query.
For Active Directory to support anonymous queries, the following conditions must be true:
Setting Active Directory PermissionsApply the following permissions to the root of the domain naming context for the domain against which you want to make queries.
To grant the required permissions for anonymous access, follow these steps. Repeat the steps for each item in the table. The table shows the required permissions to perform queries to look up e-mail names. Substitute the table heading listed in the steps with the value listed in the table.
Collapse this tableExpand this table
WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
Configuring the ClientTo perform anonymous queries to Active Directory, you must properly configure the server name, port number, username and password of the LDAP client that is making the queries. The information provided here applies to all LDAP clients: