Restricting Anonymous Access to Active Directory
You want to enable or disable anonymous access to the information stored in the Active Directory database.
Using a graphical user interface
Using a command-line interface
You have three command-line choices to modify the Pre-Windows 2000 Access security group: net localgroup, DSMod, or AdMod. net localgroup takes the following syntax:
> net localgroup " Pre-Windows 2000 Compatible Access" Everyone /delete > net localgroup "Pre-Windows 2000 Compatible Access" "Anonymous Logon" /delete > net localgroup "Pre-Windows 2000 Compatible Access" "Authenticated Users" /add
To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:
> dsmod group "cn=Pre-Windows 2000 Compatible Access,cn=Builtin, <DomainDN>" -chmbr "cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"
To use AdMod, use the following syntax:
> admod b "cn=Pre-Windows 2000 Compatible Access,cn=Builtin, <DomainDN>" member::"cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"
' This code adds a member to a group. ' ------ SCRIPT CONFIGURATION ------ StrAnonAccessDN = "cn=Pre-Windows 2000 Compatible Access," & _ cn=Builtin,<DomainDN>" strAuthUsersDN = "cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>" Const ADS_PROPERTY_CLEAR = 1 ' Used to clear the existing membership ' ------ END CONFIGURATION -------- set objAnonAccessDN = GetObject("LDAP://" & strGroupDN) ' Remove any existing groups with anonymous access objAnonAccessDN.PutEx ADS_PROPERTY_CLEAR, "member", 0 objAnonAccessDN.SetInfo ' Now add auth users only objGroup.Add("LDAP://" & strAuthUsersDN)
Anonymous access to Active Directory is controlled by membership in the Pre-Windows 2000 Compatible Access security group, located in the cn=Builtin container. This group is named like that because some legacy applications and operating systems, most notably Windows NT 4.0 RAS servers, required anonymous access to the information stored in AD in order to function properly. The default membership of this group depends on whether you selected "Permissions compatible with pre-Windows 2000 operating systems" or "Permissions compatible with only Windows 2000 and Windows 2003" when you ran dcpromo. If you selected the former, the Everyone group and the Anonymous Logon SID were added to Pre-Windows 2000 Compatible Access; if the latter, only Authenticated Users was added.
In the DSMod, AdMod, and VBScript solutions, the Authenticated Users group was specified using an SID and it resides in the ForeignSecurityPrincipals container. This is because Well-Known SIDs such as Everyone (S-1-1-0) and Authenticated Users (S-1-5-11) are not maintained within Active Directory itself and are therefore stored in the FSP container.
MS KB 303973 (How to Add Users to the Pre-Windows 2000 Compatible Access Group) and MS KB 243330 (Well-Known Security Identifiers in Windows Operating Systems)