AD permissions

[Paul Hodgdon]

For those using AD, how have you gone about setting the permissions so that read access is denied for other users on the pwm attributes.  --

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

[jason.e...@gmail.com]

You can flip the the "searchFlags" on the attribute to 128 using adsiedit "Schema" snapin which makes it "Confidential"  which will basically mean only domain administrators can view the values. Does that work for your situation? Probably not, you dont want to use a domain admin service account for PWM. So, after you set the searchFlags to 128 you need to go into more configuration, I use LDP, you need to edit/add the  DACL grant CONTROL_ACCESS on the attribute for the PWM user or best option is to create a security group, add your accounts that need to read confidential bits to that group then in the DACL set the rights for that group. One very important note, when you have the ACL editor open in LDP you might want to click the sort button for Trustee to make it easier to find entries, DONT DO THIS! If you do it will save the permissions in that order and next time you go into ADUC you will get an error saying permissions are out of order, easy to fix, just go back into LDP and sort again but this time sort by Type and ensure Deny entries come first at top :D 

Here's a link to MS docs on confidential bit plus on the needed changes to give non-admins read/write to it,

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/mark-attribute-as-confidential

I have done this numerous times over a ton of attributes, for users and group membership viewing. Have worked mainly in higher education and safe guarding FERPA/PII data is necessary such as viewing group memberships.

Some attributes, except if you added new ones for PWM, cannot be set confidential such as mobile, otherMailbox. In order to prevent read access to those you have to remove those attributes from the default property set rights. Pretty easy using adsiedit then set deny read as usual, more on that if you need it, just let me know.

Thanks!

[Paul Hodgdon]

Thanks Jason, this was perfectly described and worked like a charm.

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

Virus-free. www.avg.com

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/a1fad037-fefb-4875-8dd4-0dc08f836989n%40googlegroups.com.