You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled except for querying the RootDSE.
Open ADSI Edit.
In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.
In the left pane, right-click on the Directory Service object and select Properties.
Double-click on the dSHeuristics attribute.
If the attribute is empty, set it with the value: 0000002.
If the attribute has an existing value, make sure the seventh digit is set to 2.
Click OK twice.
' This code enables or disables anonymous query mode for a forest. ' ------ SCRIPT CONFIGURATION ------ boolEnableAnonQuery = 2 ' e.g. 2 to enable, 0 to disable ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject( _ "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _ & objRootDSE.Get("configurationNamingContext") ) strDSH = objDS.Get("dSHeuristics") for i = len(strDSH) to 6 strDSH = strDSH & "0" next strNewDSH = Left(strDSH,6) & boolEnableAnonQuery strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 7 ) WScript.Echo "Old value: " & strDSH WScript.Echo "New value: " & strNewDSH if strDSH <> strNewDSH then objDS.Put "dSHeuristics", strNewDSH objDS.SetInfo WScript.Echo "Successfully set anon query mode to " & boolEnableAnonQuery else WScript.Echo "Anon query mode already set to " & boolEnableAnonQuery end if
To enable anonymous access, you have to modify the dSHeuristics attribute of the cn=Directory Service,cn=Windows NT,cn=Services,ConfigurationDN object. The dSHeuristics attribute is an interesting attribute used to control certain behavior in Active Directory. For example, you can enable "List Object Mode" (see Recipe 14.15) by setting the dSHeuristics flag.
The dSHeuristics attribute consists of a series of digits that when set enable certain functionality. To enable anonymous access, the seventh bit must be set to 2. By default, dSHeuristics does not have a value. If you set it to enable anonymous access, the value would be the following: 0000002.
After enabling anonymous access, the assumption is you'll want to grant access for anonymous users to retrieve some data from Active Directory. To do that, grant the ANONYMOUS LOGON user access to the parts of the directory you want anonymous users to search. You must grant the access from the root of the directory down to the object of interest. See MS KB 320528 for an example of how to enable the anonymous user to query email addresses of user objects.
MS KB 320528 (How to Configure Active Directory to Allow Anonymous Queries), and MS KB 326690 (Anonymous LDAP Operations to Active Directory Are Disabled on Windows Server 2003 Domain Controllers)