I found this great article here: http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
I recently went to a new company and wanted to setup an application to use their central AD. Not knowing anything about their setup, and not having any access to the AD server, I was able to determine that anonymous read access was not enabled in our environment.
By default, anonymous LDAP operations, except rootDSE searches and binds, are not permitted on Windows 2003 domain controllers. This means that when trying to perform unauthenticated search in AD, you can query for attributes of the RootDSE object only – any other query will result in DC requesting authenticated bind to LDAO and refusing your query.
Let’s see what we are allowed to see when trying to perform an anonymous lookup against W2K3 domain controller.
The query below is performed from a Linux machine just to eliminate the query tools attempt on Windows to perform GSSAPI authentication.
Just to decipher the syntax above:
- -h hostname.domain.com (perform the query against specified host)
- -b ” (Use RootDSE as the search base)
- -x (Use simple bind, no encryption)
- -LLL (Print responses in LDIF format without comments and version)
- -s base ( Do a base search as opposed to a subtree or onelevel)
- ‘objectClass=*’ (LDAP filter which basically means: return anything you find)
If you repeat the above command with -s sub (Subtree scope) query you will get an error message similar to the following. This tells you that anonymous bind access is disabled for the domain.