Allow Anonymous LDAP Binding to an AD LDS Instance

Applies To: Windows Server 2008

Active Directory Lightweight Directory Services (AD LDS) does not accept anonymous bind requests by default. You can use this procedure to enable anonymous Lightweight Directory Access Protocol (LDAP) operations in AD LDS. However, you must set the seventh character of the dsHeuristics value to 2. In addition, assign permissions so that anonymous users have access to the appropriate objects in the directory. To grant the Read permission on all objects in a given directory partition to anonymous users, you can simply add the built-in security principal Anonymous (from the local computer) to the Readers group on that directory partition.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To allow anonymous LDAP binding to an AD LDS instance

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the configuration directory partition of the AD LDS instance on which you want to allow anonymous LDAP binding. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  3. In the console tree, double-click the configuration directory partition (CN=Configuration,CN={GUID}), double-click the services container (CN=Services), double-click the Windows NT container (CN=Windows NT), right-click the directory service container (CN=Directory Service), and then click Properties.

  4. In Attributes, click dsHeuristics, and then click Edit.

  5. In Value, modify the value of the seventh character in the attribute (counting from the left) to 2, as follows:

    0000002001001

  6. Click OK twice.