Skip navigation

How can I enable anonymous Lightweight Directory Access Protocol (LDAP) connections under Windows Server 2003?

A. By default, connections to Active Directory (AD) must bind via a set of credentials so that they can perform a meaningful directory search. If you have applications that can't authenticate, you can enable anonymous LDAP connections. To do so, perform these steps:

  1. Start adsiedit.msc, which is part of the Windows 2000 or later support tools. (Start, Run, adsiedit.msc).
  2. Expand the Configuration container. Expand Services - Windows NT.
  3. Right-click "CN=Directory Service" and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. If the value is Not Set, set it to 0000002. If the value field isn't blank, change the seventh character of the string to 2 (e.g., if the value is 001, you'd change it to 0010002). Click OK.
  6. Close ADSI Edit.

After the change has replicated to all domain controllers (DCs), Windows 2003 will allow anonymous LDAP connections. However, ACLs on the data in AD still apply, so to let anonymous users view objects, you need to grant them Anonymous logon access rights. For example, to let anonymous users view an OU's contents, grant "Anonymous logon" the List Contents right.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.