LDAP anonymous operations on Active Directory

In a Windows 2000 Active Directory you are allowed to perform LDAP anonymous operations against AD. However, a Windows Server 2003 domain/forest does not allow this by default, except for the RootDSE object. But, it is a configurable option.

For a complete description you can check here, but a quick run-through follows:

Fire up ADSIEdit.msc and navigate to CN=Directory Service,CN=Windows NT,CN=Services, DC=mydomain, DC=com (or ServicesWindows NTDirectory Service). Right-click, select Properties and find the dsHeuristics attribute. Change the seventh character of the value to 2 (or put 0000002 as the value if it wasn’t set). All you need to do next is give the ANONYMOUS LOGON account Read access to the objects you wish to query and List Contents rights to the objects right above it.

There you go. You should be able to execute code like this against a Windows 2003 Active Directory:

staticvoid Main(string[] args)
  // Note that we do not authenticate here like normally
  // new DirectoryEntry(“LDAP://ADServer:389/DC=mydomain,
     DC=local,CN=Users, “someuser”, “sTr0nGP4ssword”);
  DirectoryEntry searchRoot = new
  DirectorySearcher searcher =
  searcher.Filter = “(sAMAccountName=UserNameToSearchFor)”;

  SearchResult result = searcher.FindOne();
  if (result != null
    DirectoryEntry userEntry = result.GetDirectoryEntry();


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s