ADS_AUTHENTICATION_ENUM

Flag

Description

ADS_SECURE_AUTHENTICATION

Requests secure authentication. Active Directory will use Kerberos, and possibly NT LAN Manager, to authenticate the client. When the user name and password are null, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the script is running or of the client user account that the calling thread represents.

ADS_USE_ENCRYPTION

Requires ADSI to use encryption for data exchange over the network.

ADS_USE_SSL

The channel is encrypted using Secure Sockets Layer (SSL). Active Directory requires that the Certificate Server is installed to support SSL.

If this flag is not combined with the ADS_SECURE_AUTHENTICATION flag and the supplied credentials are null, the bind will be performed anonymously. If this flag is combined with the ADS_SECURE_AUTHENTICATION flag and the supplied credentials are null, then the credentials of the calling thread are used.

ADS_READONLY_SERVER

A writable domain controller is not required. If your script only reads or queries data from Active Directory, you should use this flag to open the sessions. This allows the application to take advantage of Read-Only DCs (RODCs), which are present in Windows Server 2008 and later.

On a Windows Server 2003 or Windows 2000 network, all servers are writable, so this flag has no affect.

In Windows Server 2008, ADSI attempts to connect to either Read-Only DCs (RODCs) or writable DCs. This allows the use of an RODC for the access and enables the application to run in a branch or perimeter network (also known as DMZ, demilitarized zone, and screened subnet), without the need for direct connectivity with a writable DC.

ADS_PROMPT_CREDENTIALS

This flag is not supported. ADS_NO_AUTHENTICATION Request no authentication. The providers may attempt to bind the client, as an anonymous user, to the target object. Active Directory establishes a connection between the client and the targeted object, but will not perform authentication. Setting this flag amounts to requesting an anonymous binding, which indicates all users as the security context.

ADS_FAST_BIND

When this flag is set, ADSI will not attempt to query the objectClass property and thus will only expose the base interfaces supported by all ADSI objects instead of the full object support. You can use this option to increase the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI will not verify that any of the requested objects actually exist on the server.

ADS_USE_SIGNING

Verifies data integrity. The ADS_SECURE_AUTHENTICATION flag must also be set to use signing.

ADS_USE_SEALING

Encrypts data using Kerberos. The ADS_SECURE_AUTHENTICATION flag must also be set to use sealing.

ADS_USE_DELEGATION

Enables ADSI to delegate the user security context, which is necessary for moving objects across domains.

ADS_SERVER_BIND

This flag is not supported.

ADS_NO_REFERRAL_CHASING

Specify this flag to turn referral chasing off for the life of the connection. However, even when this flag is specified, ADSI still allows the setting of referral chasing behavior for container enumeration when set using ADS_OPTION_REFERRALS in ADS_OPTION_ENUM (as documented in container enumeration with referral chasing in IADsObjectOptions::SetOption.

ADS_AUTH_RESERVED

Reserved