A. I strongly recommend against this. Many applications communicate with directory services through LDAP, but the LDAP Request for Comments (RFC) specification stipulates that an LDAP bind should support the passing of a credential. Connecting anonymously really shouldn't be needed. You may have many Unix-style applications that currently use an anonymous LDAP bind to other directory services, but there's a good chance that they do actually support binding through a credential, making anonymous binding unnecessary.

Where possible, if anonymous binds are required, create a separate AD LDS instance that allows the anonymous connection and has the subset of information that's required by the application.

If you have to enable anonymous binds, you can do so.

  1. Start Adsiedit.msc (Start, Run, Adsiedit.msc).
  2. Expand the Configuration container. Expand Services, Windows NT.
  3. Right-click CN=Directory Service and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. If the value is currently , set it to 0000002. If it isn't currently blank, you must change the 7th character of the string to 2. (For example, if it was 001, 0010002 should be your new value. Click OK.
  6. Close the ADSIEdit tool.

Anything that NT AUTHORITY\ANONYMOUS LOGON or Everyone has rights to can now be read through an anonymous bind.