How to configure Active Directory to allow anonymous queries

Many environments require you to make anonymous queries to Active Directory. For example, you may have to make anonymous queries to return e-mail addresses. You can configure Active Directory to allow these queries.

This article describes how to configure Active Directory to support anonymous queries even though allowing anonymous queries can weaken the security of Active Directory. Use caution when you apply permissions to Active Directory because a misconfiguration may allow non-authenticated users to query for secure information. As a general rule, only give the Anonymous Logon account the permissions that are required to perform the anonymous query.

For Active Directory to support anonymous queries, the following conditions must be true:

• Permissions on Active Directory are set to allow anonymous queries.
• The LDAP client that is making the queries is configured correctly.

This article describes how to configure a LDAP client to search the Active Directory.

Setting Active Directory Permissions

Apply the following permissions to the root of the domain naming context for the domain against which you want to make queries.

To grant the required permissions for anonymous access, follow these steps. Repeat the steps for each item in the table. The table shows the required permissions to perform queries to look up e-mail names. Substitute the table heading listed in the steps with the value listed in the table.


WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. Open ADSIEdit from the Windows 2000 Support Tools.
2. Locate the Domain Naming Context folder. This folder has the LDAP path of your domain.
3. Right-click the Domain Naming Context folder, and then click Properties.
4. Click Security.
5. Click Advanced.
6. Click Add.
7. Click the User Object user, and then click OK.
8. Click the Permission Type tab.
9. Click Inheritance from the Apply onto box.
10. Click to select the Allow check box for the Permission permission.

Configuring the Client

To perform anonymous queries to Active Directory, you must properly configure the server name, port number, username and password of the LDAP client that is making the queries. The information provided here applies to all LDAP clients:

• Server name:
  
  The server name must be a Fully Qualified Domain Name (FQDN) of a Windows 2000 domain controller that is also a global catalog server. You must send all LDAP queries to a global catalog because the global catalog contains a copy of all the objects in a forest but only a partial set of attributes. This allows the global catalog to perform searches very quickly, even for objects that are outside its domain, if the attribute that you are looking for is included in the global catalog.
• Port Number:
  
  Set the port number to 3268. This is the designated port on which the global catalog listens for queries. Only domain controllers that are also global catalog servers use this port.
• UserName:
  
  Set UserName to anonymous. This setting matches the security settings that were mentioned earlier. Setting UserName this way is as important as applying the correct security to the domain.
• Password:
  
  Leave the password blank.

This configuration allows anonymous queries to Active Directory. This is just an example of how to configure Active Directory to allow anonymous queries to retrieve e-mail information of a particular user. You may have to try different permission settings if you want to search for a different object or attribute. The following query is an example that you can use to test the configuration that was used in this article: