NULL session restrictions in Active Directory domain controllers: samr

• samr interface

  • Active Directory uses the Pre-Windows 2000 Compatible Access local group to grant or revoke anonymous access to Active Directory objects
  • On Windows 2000 Active Directory domain controllers, EVERYONE is included in Pre-Windows 2000 Compatible Access, allowing anonymous enumeration of Active Directory accounts
  • On Windows 2003, EVERYONE does no longer include ANONYMOUS LOGON, thus anonymous enumeration is only possible if ANONYMOUS LOGON explictly appears in Pre-Windows 2000 Compatible Access
  • RestrictAnonymous (Windows 2000) and RestrictAnonymousSam (Windows 2003) settings have no effect on samr restrictions on Active Directory domain controllers