The student ID system here at Indiana University is SSN #'s, but we do have
regular 8-character usernames for domain authentication. The SSN #'s become
a problem when a faculty member begins to store rosters on his computer, and
then gets hacked by CodeRed or something. I would recommend getting away
from actual SSN #'s as well. Indiana University is planning on switching to
generated numbers in the near future.
----------------------------------------------------------
Christopher England, MCP
Server Administrator
College Information Technology Office
Indiana University
-----Original Message-----
From: Flanagan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 7:53 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Hiding Account Names
Not only is it a bad idea, but it might be illegal.
I'd suggest that you do something else, a generated numeric ID, that has an
index in the mainframe that internally ties it to the SSN.
Good luck, I know that I'd seriously consider leaving that school if I were
a student and learned that was the plan.
-----Original Message-----
From: Joe Sargent [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 2:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Hiding Account Names
I broke down and spent $245 to call Microsoft. There is a way to keep the
Account Name from displaying along with the Display name, but you have to
eliminate the Windows 2000 User Logon Name. This leaves on the UPN for NT.
Once the domain is switched to Native mode the PDC emulator is gone and the
the W2K User Logon Name field will have to be populated.
So, that is a short term fix only.
There are other issues....
1: NT 4 will always see the Account name which would be the SSN
2: Other 3rd party products will do the same as NT 4
3: Queries can be made and this information can be extracted from the
domain. So people could get his info in other way.
So, in a nutshell, this is a bad idea!!!!!
Our reasoning is due to another external web system ties in to main frame.
It requires certain combinations, and SSN is was the only one that would be
unique. That system does have to worry about external queries. So, we were
trying to achieve one username/one password across all systems. So, back to
the drawing board.
Thanks for all your help.
Joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Khan, Salman
Sent: Friday, August 24, 2001 1:16 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Hiding Account Names
I am not sure if its doable but I would be uncomfortable adopting that
policy. There are a lot of issues, specially invasion of privacy. Any domain
admin can have any body's SS. That doesn't sound right.
Sal Khan
-----Original Message-----
From: Joe Sargent [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 8:14 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Hiding Account Names
We have adopted a policy to use Social Security Numbers as account logins in
our not native mode Windows 2000 domains. We still have some old Windows NT
4.0 machines in an NT 4.0 domain that is trusted to the W2K domains. I
noticed that when assigning rights for a Windows 2000 domain user to have
local share access on an NT 4.0 machine in a NT 4.0 domain the user account
shows up along with the users Windows 2000 account display name. So I am
offering all the users the ability to get any person's SSN and their name to
go with it. This is sensitive info and I would like for only users to see
the Windows 2000 display name and never actual account names. Can this be
done?????
Thanks in advance.
Joe Sargent
======================================================
Office (423) 585-6836 Fax (423) 585-2630 Pager (888) 724-9041
Office - mailto:[EMAIL PROTECTED]
Joe Sargent
Network and Technical Support Manager
CCEN 312
Walters State Community College
500 South Davy Crockett Parkway
Morristown, TN 37813 ======================================================
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
