Restricting Anonymous Access to Active Directory






Restricting Anonymous Access to Active Directory

Problem

You want to enable or disable anonymous access to the information stored in the Active Directory database.

Solution

Using a graphical user interface
  1. Open the Active Directory Users and Computers (ADUC) snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select "Connect to Domain," enter the domain name, and click OK.

  3. Navigate to the Builtin container. Double-click on the Pre-Windows 2000 Compatible Access group.

  4. Click the Members tab.

  5. Select the Everyone group and click the Remove button. Click Yes and then OK to confirm.

  6. Select the Anonymous Logon user and click the Remove button. Click Yes and then OK to confirm.

  7. If the Authenticated Users group is not present in the group membership list, click Add to include it and then click OK.

Using a command-line interface

You have three command-line choices to modify the Pre-Windows 2000 Access security group: net localgroup, DSMod, or AdMod. net localgroup takes the following syntax:

	> net localgroup " 
Pre-Windows 2000 Compatible Access" Everyone /delete
	> net localgroup "Pre-Windows 2000 Compatible Access" "Anonymous Logon" /delete
	> net localgroup "Pre-Windows 2000 Compatible Access" "Authenticated Users" /add

To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:

	> dsmod group "cn=Pre-Windows 2000 Compatible Access,cn=Builtin,
	<DomainDN>" -chmbr "cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"

To use AdMod, use the following syntax:

	> admod b "cn=Pre-Windows 2000 Compatible Access,cn=Builtin,
	<DomainDN>" member::"cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"

Using VBScript
	' This code adds a member to a group.
	' ------ SCRIPT CONFIGURATION ------
	StrAnonAccessDN = "cn=Pre-Windows 2000 Compatible Access," & _
	  cn=Builtin,<DomainDN>"
	strAuthUsersDN = "cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"
	Const ADS_PROPERTY_CLEAR = 1 ' Used to clear the existing membership
	' ------ END CONFIGURATION --------

	set objAnonAccessDN = GetObject("LDAP://" & strGroupDN)

	' Remove any existing groups with anonymous access
	objAnonAccessDN.PutEx ADS_PROPERTY_CLEAR, "member", 0
	objAnonAccessDN.SetInfo

	' Now add auth users only
	objGroup.Add("LDAP://" & strAuthUsersDN)

Discussion

Anonymous access to Active Directory is controlled by membership in the Pre-Windows 2000 Compatible Access security group, located in the cn=Builtin container. This group is named like that because some legacy applications and operating systems, most notably Windows NT 4.0 RAS servers, required anonymous access to the information stored in AD in order to function properly. The default membership of this group depends on whether you selected "Permissions compatible with pre-Windows 2000 operating systems" or "Permissions compatible with only Windows 2000 and Windows 2003" when you ran dcpromo. If you selected the former, the Everyone group and the Anonymous Logon SID were added to Pre-Windows 2000 Compatible Access; if the latter, only Authenticated Users was added.

In the DSMod, AdMod, and VBScript solutions, the Authenticated Users group was specified using an SID and it resides in the ForeignSecurityPrincipals container. This is because Well-Known SIDs such as Everyone (S-1-1-0) and Authenticated Users (S-1-5-11) are not maintained within Active Directory itself and are therefore stored in the FSP container.

See Also

MS KB 303973 (How to Add Users to the Pre-Windows 2000 Compatible Access Group) and MS KB 243330 (Well-Known Security Identifiers in Windows Operating Systems)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows