Disable signed or encrypted LDAP traffic

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To disable signed or encrypted LDAP traffic

  1. Open Registry Editor.


    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
  2. In Registry Editor, navigate to the following registry key:


    • HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/AdminDebug
  3. Click Edit, point to New, and then click DWORD Value.

  4. In the text box that appears, type ADsOpenObjectFlags, and then press ENTER.

  5. Double-click the ADsOpenObjectFlags registry key you just created, and then change the Value Data to one of the following values below:

    Value data (Hexadecimal) Disables






    Encryption and Signing


  • This procedure will disable the use of signed or encrypted LDAP traffic for some Active Directory administrative tools. It is recommended that you avoid disabling this feature. For more information, see Related Topics.


  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Registry Editor, click Start, click Run, type regedit, and then click OK.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also


Connecting to domain controllers running Windows 2000
Directory access protocol