How to configure Active Directory to allow anonymous queries
This article describes how to configure Active Directory to support anonymous queries even though allowing anonymous queries can weaken the security of Active Directory. Use caution when you apply permissions to Active Directory because a misconfiguration may allow non-authenticated users to query for secure information. As a general rule, only give the Anonymous Logon account the permissions that are required to perform the anonymous query.
- Permissions on Active Directory are set to allow anonymous queries.
- The LDAP client that is making the queries is configured correctly.
Setting Active Directory PermissionsApply the following permissions to the root of the domain naming context for the domain against which you want to make queries.
To grant the required permissions for anonymous access, follow these steps. Repeat the steps for each item in the table. The table shows the required permissions to perform queries to look up e-mail names. Substitute the table heading listed in the steps with the value listed in the table.
|User Object||Permissions||Inheritance||Permission Type|
|ANONYMOUS LOGON||List Contents||Container Objects||Object|
|ANONYMOUS LOGON||List Contents||Organizational Unit Objects||Object|
|ANONYMOUS LOGON||Read Public Information||User Objects||Property|
|ANONYMOUS LOGON||Read Phone and Mail Options||User Objects||Property|
WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Open ADSIEdit from the Windows 2000 Support Tools.
- Locate the Domain Naming Context folder. This folder has the LDAP path of your domain.
- Right-click the Domain Naming Context folder, and then click Properties.
- Click Security.
- Click Advanced.
- Click Add.
- Click the User Object user, and then click OK.
- Click the Permission Type tab.
- Click Inheritance from the Apply onto box.
- Click to select the Allow check box for the Permission permission.
Configuring the ClientTo perform anonymous queries to Active Directory, you must properly configure the server name, port number, username and password of the LDAP client that is making the queries. The information provided here applies to all LDAP clients:
- Server name:
The server name must be a Fully Qualified Domain Name (FQDN) of a Windows 2000 domain controller that is also a global catalog server. You must send all LDAP queries to a global catalog because the global catalog contains a copy of all the objects in a forest but only a partial set of attributes. This allows the global catalog to perform searches very quickly, even for objects that are outside its domain, if the attribute that you are looking for is included in the global catalog.
- Port Number:
Set the port number to 3268. This is the designated port on which the global catalog listens for queries. Only domain controllers that are also global catalog servers use this port.
Set UserName to anonymous. This setting matches the security settings that were mentioned earlier. Setting UserName this way is as important as applying the correct security to the domain.
Leave the password blank.
Article ID: 320528 - Last Review: 10/30/2006 23:20:29 - Revision: 3.3
- kbhowto KB320528