Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q326690
By default, anonymous Lightweight Directory Access Protocol (LDAP) operations to Active Directory, other than rootDSE searches and binds, are not permitted in Microsoft Windows Server 2003.
Active Directory in earlier versions of Microsoft Windows-based domains accepts anonymous requests. In these versions, a successful result depends on having correct user permissions in Active Directory.

With Windows Server 2003, only authenticated users may initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this new default behavior by changing the seventh character of the dsHeuristics attribute on the DN path as follows:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest
The DsHeuristics setting applies to all Windows Server 2003-based domain controllers in the same forest. The value is realized by domain controllers upon Active Directory replication without restarting Windows. Microsoft Windows 2000-based domain controllers do not support this setting and do not restrict anonymous operations if they are present in a Windows Server 2003-based forest.

Valid values for the dsHeuristic attribute are 0 and 0000002. By default, the DsHeuristics attribute does not exist, but its internal default is 0. If you set the seventh character to 2 (0000002), anonymous clients can perform any operation that is permitted by the access control list (ACL), as can Windows 2000-based domain controllers.

Note If the attribute is already set, do not modify any characters in the DsHeuristics string other than the seventh character. If the value is not set, make sure that you provide the leading zeros up to the seventh character. Also, you can use Adsiedit.msc to make the change to the attribute.

The dsHeuristics string on a domain controller in the forest appears as follows when you view it by using Ldp.exe. Only selected attributes are shown.
>> Dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<forest_name>,DC=com     2> objectClass: top; nTDSService;      1> cn: Directory Service;      1> dSHeuristics: 0000002; <-2 in the seventh character = anonymous         access allowed. Note the leading zeros.     1> name: Directory Service;

Artikelnummer: 326690 – Letzte Überarbeitung: 12/03/2007 04:38:36 – Revision: 13.3

Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Small Business Server 2003 Premium Edition, Microsoft Windows Small Business Server 2003 Standard Edition, Microsoft Windows Server 2003 Service Pack 1

  • kbenv kbinfo KB326690