Server Objects Are Returned by Programs That Use LDAP to Access Active Directory (247118)

SYMPTOMS

When you use programs that use Lightweight Directory Access Protocol (LDAP) to access Active Directory, a limited number of objects may be returned by the program.

CAUSE

This issue occurs because the program performs an anonymous bind by using LDAP. Only objects where the Everyone group has Read permissions are returned. By default, authenticated users have Read access to all objects.

RESOLUTION

To resolve this issue, assign the Everyone group Read permissions to objects in Active Directory. This permits anonymous access to objects for programs that use LDAP. If you modify access rights to objects, you must consider the security ramifications of the changes that you make.

You can configure security settings for each object that the program may access. To configure security settings, modify the Access Control settings of the object, or use the Dsacls.exe tool that is located in the Windows 2000 Support folder on the Windows 2000 Server CD-ROM. For pre-Windows 2000 programs, use the Application Compatibility tool, Apcompat.exe.

REFERENCES

For additional information about how to edit the access control list (ACL) of an Active Directory object, click the following article number to view the article in the Microsoft Knowledge Base:

218596 HOW TO: Assign Access Control Permissions on the Properties of an Active Directory Object

For additional information about the Dsacls.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

281146 How to Use Dsacls.exe in Windows 2000

For additional information about the Apcompat.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

251062 Description of the Application Compatibility Tool