We can use SSN here and that is how all public institutions track students.
If student request not to use the SSN then we provide another number to use.
We have had very few request to do this.
Our VMS system will restrict the display of the SSN and only show name and
things like that, but W2K will not do that.
We figured we could hide the SSN in W2K and only use the AD Display Name for
security purposes. However, that is not possible due to third party apps
and NT 4.0. They require the use of UPN.
We are working on another way to do this with the info we are provided by
the main registration system. You would be surprised of how many students
do not know their middle name, correct spelling, and other things. So, when
we pull it off the registration system they then try to enter other info
(such as different middle initial.) So we were shooting for a more uniformed
login name. SSN would have been great, but not now.
Joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Barber, Tom
Sent: Monday, August 27, 2001 11:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Hiding Account Names
We use a Personal ID Number that is generated internally. This info is
stored in the EmployeeID property in the Active Directory. I have been
investigating various means of "hiding" this property, with mixed success.
Basically the number means nothing except when on campus, so we really
haven't compromised anyone's privacy.
State Universities in New York are mandated by law NOT to use the SSN in ANY
publicly accessible format. I would surmise other states have also mandated
this, or will be in the near future.
-Tom Barber
Systems Manager
Alfred State College
Alfred, NY 14802
(607)587-3558
-----Original Message-----
From: England, Christopher M [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 9:19 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Hiding Account Names
The student ID system here at Indiana University is SSN #'s, but we do have
regular 8-character usernames for domain authentication. The SSN #'s become
a problem when a faculty member begins to store rosters on his computer, and
then gets hacked by CodeRed or something. I would recommend getting away
from actual SSN #'s as well. Indiana University is planning on switching to
generated numbers in the near future.
----------------------------------------------------------
Christopher England, MCP
Server Administrator
College Information Technology Office
Indiana University
-----Original Message-----
From: Flanagan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 7:53 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Hiding Account Names
Not only is it a bad idea, but it might be illegal.
I'd suggest that you do something else, a generated numeric ID, that has an
index in the mainframe that internally ties it to the SSN.
Good luck, I know that I'd seriously consider leaving that school if I were
a student and learned that was the plan.
-----Original Message-----
From: Joe Sargent [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 2:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Hiding Account Names
I broke down and spent $245 to call Microsoft. There is a way to keep the
Account Name from displaying along with the Display name, but you have to
eliminate the Windows 2000 User Logon Name. This leaves on the UPN for NT.
Once the domain is switched to Native mode the PDC emulator is gone and the
the W2K User Logon Name field will have to be populated.
So, that is a short term fix only.
There are other issues....
1: NT 4 will always see the Account name which would be the SSN
2: Other 3rd party products will do the same as NT 4
3: Queries can be made and this information can be extracted from the
domain. So people could get his info in other way.
So, in a nutshell, this is a bad idea!!!!!
Our reasoning is due to another external web system ties in to main frame.
It requires certain combinations, and SSN is was the only one that would be
unique. That system does have to worry about external queries. So, we were
trying to achieve one username/one password across all systems. So, back to
the drawing board.
Thanks for all your help.
Joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Khan, Salman
Sent: Friday, August 24, 2001 1:16 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Hiding Account Names
I am not sure if its doable but I would be uncomfortable adopting that
policy. There are a lot of issues, specially invasion of privacy. Any domain
admin can have any body's SS. That doesn't sound right.
Sal Khan
-----Original Message-----
From: Joe Sargent [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 8:14 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Hiding Account Names
We have adopted a policy to use Social Security Numbers as account logins in
our not native mode Windows 2000 domains. We still have some old Windows NT
4.0 machines in an NT 4.0 domain that is trusted to the W2K domains. I
noticed that when assigning rights for a Windows 2000 domain user to have
local share access on an NT 4.0 machine in a NT 4.0 domain the user account
shows up along with the users Windows 2000 account display name. So I am
offering all the users the ability to get any person's SSN and their name to
go with it. This is sensitive info and I would like for only users to see
the Windows 2000 display name and never actual account names. Can this be
done?????
Thanks in advance.
Joe Sargent
======================================================
Office (423) 585-6836 Fax (423) 585-2630 Pager (888) 724-9041
Office - mailto:[EMAIL PROTECTED]
Joe Sargent
Network and Technical Support Manager
CCEN 312
Walters State Community College
500 South Davy Crockett Parkway
Morristown, TN 37813 ======================================================
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
