Granting
anonymous read access
This step
involves granting “NT
AUTHORITY\ANONYMOUS LOGON” (well know
security principal) access to objects
you want to be able to be located by the
means of anonymous lookups. This can be
compared to opening some doors to the
apartments inside the building.
Let's give
it a try and expose some details about
one of my computers to the public:
-
Open
Active Directory Users and
Computers.
-
Make
sure "View Advanced Features" is
checked.
-
Navigate to the object you want to
expose it's information and double
click it.
-
Go to
Security tab and click Add button.
-
Type
in " ANONYMOUS LOGON" and
acknowledge the dialog.
-
In the
ACL you will notice that now "
ANONYMOUS LOGON" has access to some
property sets of the computer object
(you can actually grant more
granular access permissions to the
object, but this is beyond the scope
of this article).
Let's test
it:
Hey! This
didn't work! Well, apparently there is a
good reason for that: you need to grant
at least "List Contents" permission to
the "ANONYMOUS LOGON" on the OU the
object, you are querying for, resides
in.
How do you
do that?
-
In
Active Directory Users and
Computers, right-click the OU the
object is located in and choose
Properties.
-
Click
the Security tab and click advanced.
-
Click
the Add button and in the dialog
that opens type in "ANONYMOUS
LOGON".
-
Acknowledge the dialog. This will
open a new dialog window.
-
In the
"Apply to" drop-down box choose
"This object only" and tick the
"List Contents" checkbox as shown in
the picture:
Now let's
try it again:
Hurray!
Now it works.
Happy
binding. |
