Easily configure confidential attributes in Active Directory
Recently we moved to storing phone numbers in Active Directory but this raises concerns with any user in our domain having the ability to open up ADUC and view others personal phone numbers.
In searching for a solution I came across Confidential Attributes. The concept is quite simple, flag an attribute as confidential and provision read or write access using a permission called CONTROL_ACCESS. Though, there is one caveat… you can’t use base-schema attributes and you may be forced to create and use a custom Active Directory attribute.The real problem came when trying to figure out how to actually do this. Most guides I could find were either really old with broken links, very wordy or just rather difficult to follow.
So, here’s my attempt at a simple, easy to follow guide on configuring confidential attributes. This might look daunting at first but follow along and I promise you’ll see just how quick & easy this really is!
Let’s break this down into 2 parts:
Part 1 — Flagging attributes as confidential
Part 2 — Setting the CONTROL_ACCESS permission
Part 1 — Flagging attributes as confidential
- On a Domain Controller, open ADSI Edit
- From the left, right-click ADSI Edit and click Connect
- From the drop-down Select a well known Naming Context select Schema and click OK
- Navigate through the Schema to find the attribute you want to flag as confidential and double-click to open it (Can’t find your attribute? This PowerShell script from Alan’s Blog might help!)
- From the tab Attribute Editor find the attribute searchFlags and change the value to 128
- Click OK and OK
✔ Your attribute is now marked as confidential and requires the CONTROL_ACCESS permission to be read.
Part 2 — Setting the CONTROL_ACCESS permission
In this example, using inheritance we will grant an account permission to read our confidential attribute attribute on every user object in an OU
- On a Domain Controller, open Ldp.exe as administrator
- From the Connection menu click Bind and OK
- From the View menu click Tree
- Navigate through the tree and find the OU where you want give a user/group permission to read your confidential attribute
- Right-click the OU and click Advanced then Security Descriptor
- On the Security Descriptor window click OK
- Under DACL click Add … and configure as below
ACE type: Allow
Trustee: <Your user/group you want to be able to read confidential attribute>
Check: Control access, Read Property & Inherit
Object type: <Your Confidential attribute>
Inherited object type: user
- Click OK and Update
✔ Your user now has the permission to read your confidential attribute for every object under the OU you chose.
Done! Try it out with this PowerShell command.
Get-ADUser <USERNAME> -Properties <YOUR CONFIDENTAL ATTRIBUTE>