Hiding information in AD
I’m still reading the Forums now and then, although I am not posting as much there as I have in the past. Reasons being, time, motivation and the overall quality of the Forums – but that is a different topic.
What I’ve come across lately at least twice, is a question that can be summed up to:
“How can I hide information in Active Directory (from specific users)?”
Since we’re a technical blog here, let’s discuss the technical possibilities first. There are
- The Active Directory confidentiality bit
- Permission assignment to objects/attributes in Active Directory.
As for (1), the confidentiality bit is a bit set for these attributes in the Schema, so that they are no longer readable to “normal” users. You essentially modify the searchFlags attribute. More on the confidentiality bit: http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential-bit.aspx. If you have read the article and comments below, you’ll notice that the confidentiality bit is only half-way through a good idea. Admins and “Account Operators” still can read. And it won’t work for “Category 1” attributes (http://www.frickelsoft.net/blog/?p=227). If you have extended the Schema and store the secret stuff in your own attribute, this may be a way to go – granted that you have a very controlled Administrators League and know who “Account Operators” are and that they are OK to handle the information in there.
