Powershell with Anonymous LOGON for Active Directory


  • Hello!

    I have a problem. Maybe I do something wrong.

    My computer is worked in Domain and i want to connect to Active Directory

    of  domain.

    I can't connect to Active Directory by Powershell use follow code:

    "New-Object System.Directoryservices.DirectoryEntry("LDAP://,dc=ru)"

    I receive follow message:

    "The login and password don't recognize."


    I want to connect to AD with help Anonymous logon. When i use Softerra LDAP Administrator, and connect to AD with help

    login "Anonymous user" it is all Right. I see the Doman tree, I can enter in folders and see all object.

    This may be due to the fact that Powershell is trying to connect the name of the current system user.

    How can i resolve this problem?

    • Edited by fradon Wednesday, November 16, 2011 11:45 AM
    Wednesday, November 16, 2011 10:39 AM


  • The there is an account called anonym with no password.  Use that with ADSI with a blank password.

    $Domain = New-Object System.DirectoryServices.DirectoryEntry([adsi]'', "anonym","")

    You may have to use the domain 'yourdomain\anonym'


    Saturday, November 26, 2011 7:06 PM

All replies

  • [adsi]'LDAP://dc=local,dc=ru)'

    If this doesn't work then you will need to figure out if your firewall is blocking your connection.

    There is no 'anonymous' user for AD.

    Is the AD in your current domain or are you trying to connect to a remote system?

    What protocol is your tool using?  HTTP?, TCP?, What authentication method? Kerberos, Basic, NTLM?



    Wednesday, November 16, 2011 12:44 PM
  • I use TCP and Kerberos

    When i write follow command:

    New-Object System.Directoryservices.DirectoryEntry("LDAP://,dc=ru",login,password)

    It's all right.

    When i connect my computer to domain that it is all Right.

    But when i stay in other domain and try to connect by PowerShell to AD i have error.

    And one way that i have found it is write inside of command information about login and password.


    When i connect to AD by program Softerra LDAP Administrator with "Anonymous user" i haven't the problem.


    • Edited by fradon Wednesday, November 16, 2011 1:02 PM
    Wednesday, November 16, 2011 1:01 PM
  • Sorry but I cannot understand what you are trying to say.

    Ther is no anonymous login for AD.  WHen you use blank credentials it is defaulting to your local credentials.

    You need to post code and complete error message.

    Wednesday, November 16, 2011 1:16 PM
  • How write command if i want to use Anonymous login?
    Wednesday, November 16, 2011 1:50 PM


    $de=New-Object System.Directoryservices.DirectoryEntry($adspath,$user,$pwd,$auth)


    • Edited by jrv Wednesday, November 16, 2011 6:26 PM
    Wednesday, November 16, 2011 6:23 PM
  • Thank for your help.

    But it's not working.  I receive message that user and password don't recognize. I  change $auth,

    $auth='anonymous' , and try to repear

    But system writes me  that it can't find catalog for this parametrs.

    Thursday, November 17, 2011 6:36 AM
  • Sorry but you will need to ask your system administrator for the logon methods.

    You cannot log on with anonymous in AD.

    This is not a scripting isssue.


    Thursday, November 17, 2011 8:18 AM
  • I stand up test network on VirtualBox platform. I stand up servers, install AD with DNS, and i configure its.

    Then i try to connect to AD from computer is standed alone. Computer is a part of workgroup.

    I try to connect trough Powershell to AD and than i receive same error that i discribe early.

    Did i forget to configure something in AD?

    What should i do in configuration AD that i will can to connect with using login Anonimous

    Thursday, November 17, 2011 12:41 PM
  • YOu cannot use AD the way you aretrying to use it.  You mist use crecentials and your machine must be a member of teh domain or, if authentication is realxws,2 you must support the corret protocol.

    You will need to use domain credentials amd use either NTLM or Kerberos authentication.



    Thursday, November 17, 2011 1:37 PM
  • Why not?

    I configure my AD that I will connect with Anonimous logon.

    then i write command on the Workstation:

    New-object System.DirectServices.DirectEntry("LDAP://,dc=ru","user","password")

    and i can see all tree of AD. It's real.

    But when i try use Anonimous I can do it.

    My work AD is working for external users. They receive information from AD trough external programms. And they don't exist in my domain. They can read information from AD.

    I cant't understand why you wrote my so strange information.



    • Edited by fradon Thursday, November 17, 2011 2:01 PM
    Thursday, November 17, 2011 2:00 PM
  • There is no such thing as anonymous logon.  If you use a bland name and password you will be logged on with default credentials.  If you are not part of the domain and you have configured AD correctly you will logged in with the guest account.

    If you ned to know how to configure AD then you will need to post in teh WIndows Server forum as that is out-of-scope for this forum.


    Thursday, November 17, 2011 2:13 PM
  • If your client computer is joined to the domain, you should log onto the computer with domain credentials (a domain user account and the corresponding password). Then you can connect to AD without providing credentials (since you already provided them when you logged on). If your client workstation is not joined to the domain, then you are authenticated to the local  computer and you must use alternate credentials when you connect to AD, where you supply a valid domain username and password. You cannot connect to AD without domain credentials. There is no such thing as anonymous logon. If there were, there would be no need for passwords.

    The PowerShell code I have seen for alternate credentials is similar to:


    $User "MyDomain\MyUserName"
    $Password = "xZY#321z"
    $Path = "LDAP://MyServer/dc=MyDomain,dc=com"

    $Domain = New-Object System.DirectoryServices.DirectoryEntry($Path, $User, $Password)



    Richard Mueller - MVP Directory Services
    Saturday, November 26, 2011 3:35 AM
  • thank you for your advice.

    I use this variant in my script. But i have another problem. Server is protected from external attack. And i can receive information with help  Anonymous logon only  through Ldifde. And now i cant't understand why i can't receive information from ldap same the way as ldifde but only through Powershell

    • Edited by fradon Saturday, November 26, 2011 5:48 PM
    Saturday, November 26, 2011 5:46 PM
  • How are you getting LDIFDE to specify an anonymous logon.  LDIFDE is a commandline tool.

     Here are the only options with LDIFDE:

    Credentials Establishment
    Note that if no credentials is specified, LDIFDE will bind as the currently
    logged on user, using SSPI.

    -a UserDN [Password | *]            Simple authentication
    -b UserName Domain [Password | *]   SSPI bind method

    As you can see there is NO anonymous choice.


    • Edited by jrv Saturday, November 26, 2011 5:55 PM
    Saturday, November 26, 2011 5:52 PM
  • ldifde -a Anonym "" -s -l "cn" -f "1.txt"
    Saturday, November 26, 2011 6:45 PM
  • The there is an account called anonym with no password.  Use that with ADSI with a blank password.

    $Domain = New-Object System.DirectoryServices.DirectoryEntry([adsi]'', "anonym","")

    You may have to use the domain 'yourdomain\anonym'


    Saturday, November 26, 2011 7:06 PM
  • This is another case where a non-technical user has asked a question and insisted on misleading information.


    I write this so others may learn how difficult an answer can be made when you insist on using terms like a'anonymous' or 'anonymous account' or 'anonymous logon'.  In this case there is NO anonymous anything.  There is an account called 'anonym' on the domain with a blank password.

    If the OP had payed attention to the directions and hasd posted the LDIFDE command line right in the beginning we would have had a solution immediately.

    Softera has been desigfned to be preset with a default account which, in this case, is 'anonym sp spewcifying 'anonymous user' is specific to Softera and telss it to use the configured default account.

    None of this has anything to do with scripting or with Active Directory.

    There is no substitute for actual training in the technology we use. Guesswork is only a waste of time.  - Kung Fu Panda




    Saturday, November 26, 2011 7:39 PM