Is it possible to interact with Active Directory without a domain user account?

Can someone without a domain user account interact with Active Directory to obtain, e.g. password policy, list of domain users, list of domain controllers etc.? - or is it impossible to interact with Active Directory without domain user credentials?

0

2 Answers

If you are a Domain Administrator, it is possible to enable anonymous (unauthenticated) logins to the AD LDAP service via the dSHeuristics parameter. The search term for that is "anonymous bind". Once that's enabled, you'll probably have to grant access to individual LDAP entries via ACLs.

Is it wise to do so? IMHO, not at all. At the very least, it would easily become a major privacy issue for your employees – and attract security problems as well. (Hence no links to documentation.)

If you are writing a script for domains managed by someone else – the general answer is "no". Even things such as services or batch jobs should have their own credentials.

I'm not sure what you mean by windows specific. Active Directory provides a LDAP interface to work with it. Most of the information AD provides can be queried using that interface.

Microsoft has various articles that go into detail as to how it works and what's important. For instance:

By default AD wouldn't/shouldn't accept anonymous connections which can be changed. If they are enabled ACLs might limit what you're able to query for. In order to test this you migth be able to use ADSI edit or another LDAP tool. Access to RootDSE should be possible.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like