Anonymous Access to Active Directory

Sep 14, 2016 (Letztes Update) | Posted by Armin Götz Administration |

Usually there is an option to access Active Directory anonymously- anonymous access.

Normally you do not need it. But there are exceptions to every rule.

This article will give you a step-by-step manual for anonymous AD access.

Index

Basic Facts about Accessing Anonymously

Active Directory gives you the opportunity to access the directory anonymously.

You find this function deactivated. Usually you do not need it every day. That is because “authenticated users” can read the data by default. Anonymous access means that also not authenticated users can read and access data.

This doesn’t make too much sense at first. But there are always situations when a skilled consultant has to use it. These are special situations only.

Installing

Install the anonymous access to AD is really easy. Here are the two steps to do:

Setting access in the schema of the domain.

Setting permissions of the account on “NT Authority/Anonymous”

First you set up the access. To do so, open “ADSI Edit” on a domain controller with a user of the domain admins group. Next you connect with the configuration partition of the domain:

Anonymous Bind

Next you go to

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<my domain>

In the properties of Directory Service you open the attribute editor:

You activate the access for Anonymous by setting the attribute dSHeuristics on “0000002”.

Note: Most of the time this attribute is not set. If however attribute already has a value you just set the last digit (seventh) to “2”. There is no need to change the other numbers.

Now you activated the anonymous bind:

Enabling Reading

Now you grant the account access to the domain or certain OUs like follows:

Select properties, right-click on the domain/the OU.

Adding a new rule:

Here you may choose „read“ permission, which you can limit the way you like.
Now you can read the OU if you type it in directly:

Anonymous Access accomplished

Finally you have reached your aim. You have granted anonymous access to a user. The user can access the AD anonymously. Don’t forget to limit the permissions, because you do not want to have to many anonymous accesses on your domain.

FirstAttribute AG – Microsoft Consulting Partner for
Migration and Active Directory

AD Consulting | AD Migration

Did this help you? Share it or leave a comment:

Artikel erstellt am: 08.09.2016

HERNAN ANDRES VALENZUELA VALENZUELA

· Reply

July 31, 2020 at 3:44 PM

Hi,

First of all thank you very much for this guide
how can we test that it works?

Markus

January 8, 2021 at 11:35 AM

How can we do this with AD-LDS (formerly called ADAM)?

There is no “Active Directory Users and Computers” GUI there.

Thanks, Markus

Anonymous Access to Active Directory

Basic Facts about Accessing Anonymously

Installing

Anonymous Bind

Enabling Reading

Anonymous Access accomplished

2 Comments

Leave your reply.

Leave a Reply

<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>

Dynamic AD Groups

Links

Social Icons Widget

Dynamic Entra ID Groups

Recent Articles

Categories