Hiding information in AD

I’m still reading the Forums now and then, although I am not posting as much there as I have in the past. Reasons being, time, motivation and the overall quality of the Forums – but that is a different topic.
What I’ve come across lately at least twice, is a question that can be summed up to:
How can I hide information in Active Directory (from specific users)?”

Since we’re a technical blog here, let’s discuss the technical possibilities first. There are

  • The Active Directory confidentiality bit
  • Permission assignment to objects/attributes in Active Directory.

As for (1), the confidentiality bit is a bit set for these attributes in the Schema, so that they are no longer readable to “normal” users. You essentially modify the searchFlags attribute. More on the confidentiality bit: http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential-bit.aspx. If you have read the article and comments below, you’ll notice that the confidentiality bit is only half-way through a good idea. Admins and “Account Operators” still can read. And it won’t work for “Category 1” attributes (http://www.frickelsoft.net/blog/?p=227). If you have extended the Schema and store the secret stuff in your own attribute, this may be a way to go – granted that you have a very controlled Administrators League and know who “Account Operators” are and that they are OK to handle the information in there.

Read more »

Group Policy Settings Excel update

I am sure some of you are already playing with Windows 8 and Windows Server 2012.

Microsoft Download has an updated Excel spreadsheet of the well-known Group Policy Settings Excel - it contains Windows 8 and Windows Server 2012 beta settings:

http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=25250

The Azure-based online search tool Group Policy Search http://gps.cloudapp.net has not been updated yet.

Setting ‘Block Inheritance’ on the domain level? WTF!?

Hey ho - long time no hear. I won’t make any promises any more and just go on with the blog posting :-)

I got an email from a fellow AD/GPO/Exchange big brain (where “fellow” relates to AD/GPO, I am no Exchange big brain). He was sending a screenshot of GPMC with essentially the following information on it:

Read more »

Next Page »