Can someone without a domain user account interact with Active Directory to obtain, e.g. password policy, list of domain users, list of domain controllers etc.? - or is it impossible to interact with Active Directory without domain user credentials?
02 Answers
If you are a Domain Administrator, it is possible to enable anonymous (unauthenticated) logins to the AD LDAP service via the dSHeuristics parameter. The search term for that is "anonymous bind". Once that's enabled, you'll probably have to grant access to individual LDAP entries via ACLs.
Is it wise to do so? IMHO, not at all. At the very least, it would easily become a major privacy issue for your employees – and attract security problems as well. (Hence no links to documentation.)
If you are writing a script for domains managed by someone else – the general answer is "no". Even things such as services or batch jobs should have their own credentials.
I'm not sure what you mean by windows specific. Active Directory provides a LDAP interface to work with it. Most of the information AD provides can be queried using that interface.
Microsoft has various articles that go into detail as to how it works and what's important. For instance:
- Serverless Binding and RootDSE which has some information about how to connect to AD.
- RootDSE Schema Information which details what information is available within RootDSE.
- How Active Directory Searches Work which also has some information about anonymous access.
- Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers
By default AD wouldn't/shouldn't accept anonymous connections which can be changed. If they are enabled ACLs might limit what you're able to query for. In order to test this you migth be able to use ADSI edit or another LDAP tool. Access to RootDSE should be possible.
2