Florian's Blog http://www.frickelsoft.net/blog Words on Group Policy, Active Directory and Infrastructure stuff Sat, 12 May 2012 11:31:39 +0000 http://wordpress.org/?v=2.3.1 en Hiding information in AD http://www.frickelsoft.net/blog/?p=288 http://www.frickelsoft.net/blog/?p=288#comments Sat, 12 May 2012 11:31:39 +0000 florian http://www.frickelsoft.net/blog/?p=288 I’m still reading the Forums now and then, although I am not posting as much there as I have in the past. Reasons being, time, motivation and the overall quality of the Forums – but that is a different topic.
What I’ve come across lately at least twice, is a question that can be summed up to:
How can I hide information in Active Directory (from specific users)?”

Since we’re a technical blog here, let’s discuss the technical possibilities first. There are

  • The Active Directory confidentiality bit
  • Permission assignment to objects/attributes in Active Directory.

As for (1), the confidentiality bit is a bit set for these attributes in the Schema, so that they are no longer readable to “normal” users. You essentially modify the searchFlags attribute. More on the confidentiality bit: http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential-bit.aspx. If you have read the article and comments below, you’ll notice that the confidentiality bit is only half-way through a good idea. Admins and “Account Operators” still can read. And it won’t work for “Category 1” attributes (http://www.frickelsoft.net/blog/?p=227). If you have extended the Schema and store the secret stuff in your own attribute, this may be a way to go – granted that you have a very controlled Administrators League and know who “Account Operators” are and that they are OK to handle the information in there.

(more…)

]]> http://www.frickelsoft.net/blog/?feed=rss2&p=288 Group Policy Settings Excel update http://www.frickelsoft.net/blog/?p=287 http://www.frickelsoft.net/blog/?p=287#comments Thu, 10 May 2012 08:10:34 +0000 florian http://www.frickelsoft.net/blog/?p=287 I am sure some of you are already playing with Windows 8 and Windows Server 2012.

Microsoft Download has an updated Excel spreadsheet of the well-known Group Policy Settings Excel - it contains Windows 8 and Windows Server 2012 beta settings:

http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=25250

The Azure-based online search tool Group Policy Search http://gps.cloudapp.net has not been updated yet.

]]> http://www.frickelsoft.net/blog/?feed=rss2&p=287 Setting ‘Block Inheritance’ on the domain level? WTF!? http://www.frickelsoft.net/blog/?p=286 http://www.frickelsoft.net/blog/?p=286#comments Wed, 07 Mar 2012 22:09:54 +0000 florian http://www.frickelsoft.net/blog/?p=286 Hey ho - long time no hear. I won’t make any promises any more and just go on with the blog posting :-)

I got an email from a fellow AD/GPO/Exchange big brain (where “fellow” relates to AD/GPO, I am no Exchange big brain). He was sending a screenshot of GPMC with essentially the following information on it:

(more…)

]]> http://www.frickelsoft.net/blog/?feed=rss2&p=286