Platform SDK: Active Directory, ADSI, and Directory Services |
GetObject or ADsGetObject provides Single Sign On with no encryption. The application need not provide any credential information when accessing Active Directory information. ADSI uses the security context of the calling thread. However, if secure authentication fails, ADSI attempts a simple bind with a NULL username and NULL password. If the simple bind succeeds, the user context for the binding is Guest. A simple bind is clear-text authentication. Because no username or password is sent, this is not a security issue.
For a service running under the LocalSystem account, the security context used by GetObject and ADsGetObject depends on the computer on which the service is running. If the service is running as LocalSystem on a domain controller, the service has full system-level access to Active Directory. If the service is not running on a DC, the service has the access rights and privileges allowed to the computer account for the computer on which the service is running (which is significantly less powerful than system-level access).