Hi

Whilst trying to understand functionality of "BUILTIN\Pre-Windows 2000 Compatible Access group" and i was able to enumerate a specific set of Information ANONYMOUSLY when using certain APIs like SAMR named pipe with SMB, detailed HERE. The tool i used to enumerate Information anonymously from AD using a a NULL session is called SuperScan.

The Key in this First Scenario is add to special identity "NT AUTHORITY\ANONYMOUS LOGON" to "BUILTIN\Pre-Windows 2000 Compatible Access group" and use a software which uses noted APIs to query/enumerate information.

If we look at Default Security Descriptor of Domain, we can Pre-Windows 2000 group is present with some pre-defined level of granted rights (Refer first image pasted below).

Now i continue with the Second Scenario where i try to enumerate information anonymously but using LDAP/LDP.exe

Now by default with Windows Server 2003, anonymous LDAP Bind operation isn't permitted, unless this behavior is explicitly has been overridden using DsHeuristics attribute. As per this article, author indeed changed the noted attribute value but he also changed the Security Descriptor of targetted Containers (in author's case - SENECA) to allow "NT AUTHORITY\Anonymous Logon" with List Contents and Read permission!

Now if we don't add & grant rights to "NT AUTHORITY\Anonymous Logon" for the given container/object, then we won't be able to Search/Browse information anonymously using LDP.exe and this is the part that confuses me.

If i look at the default ACL of Domain Object, we see that by default, multiple permissions including LIST contents & READ permission exist for "BUILTIN\Pre-Windows 2000 Compatible Access group" applied recursively (This Object and all child Objects), as shown in attachment.

Now If i have already added "NT AUTHORITY\ANONYMOUS LOGON" to "BUILTIN\Pre-Windows 2000 Compatible Access group", then "NT AUTHORITY\Anonymous Logon" should automatically possess all of the rights adhered by "BUILTIN\Pre-Windows 2000 Compatible Access group" and i should be able to view information anonymously using Simple LDAP bind, but indeed its NOT! Please correct me if i am wrong here.

I am trying to enumerate information under USERS container anonymously.

Please Assist.

Additional Images

Hi,

Before going further, I do admit you make a good point here. Based on the test in my lab (I use Server 2012 R2), to allow anonymous query, in addition to editing the DsHeuristics attribute, we do need to explicitly add NT AUTHORITY\ANONYMOUS LOGON in the Security context of the objects we need to query anonymously.

Best regards,

Fran

Thanks Frank for checking and reverting back. I think i am wrong in understanding the way Special Identities work. I will revise and revert with findings.

I did checked and yet, all in vain, couldn't figure it out. Please Assist with confusion part relating to Anonymous access via SAMR vs. LDAP by nesting Anonymous Logon group with Pre-Windows 2000 Compatible access group.