About confidential attributes in SP1: When you set an attribute to be confidential, mere read permission is no longer enough for you to see the attribute value.
HOW TO ENABLE - Select the attribute to be set as confidential. Category 1 attributes are not possible to select, which rules most of the base schema attributes out but not all... Cat1 is marked in the corresponding attributeSchema object in its systemFlags attribute, as bit 0xF (or 16 in decimal). - Locate the corresponding attributeSchema object in the schema, and set bit 0x80 (or 128 in decimal) in its searchFlags attribute. HOW TO DELEGATE - Grant "All Extended Rights" for anyone, who needs to see the confidential attribute and grant this on the object, where the attribute is (or you could also use inheritance, of course). For example, grant "All Extended Rights" on the Sales OU, where are the user Jill and contact Carl. - SP1 ACL Editor hides "All Extended Rights" on object classes that don't have any extended rights associated, such as contact. In that case you would use DSACLS, such as the command "dsacls cn=jill,ou=demo,dc=sanao,dc=com /G jim:ca" PROS - If you delegate "Read All Properties" to someone, you can exclude some attributes from this "All" by marking them as confidential. This also applies when people have "Read All Properties" through the "Pre-Windows 2000 compatible access" group. CONS - As you need to grant "All Extended Rights", the trustee who got the permissions, gets not just permission to see a confidential attribute, but she also gets all current and future extended rights on the target object. For example, if you want Jim to see the users' social security numbers, he will also get permission to reset their passwords. And if one year later a directory-enabled application adds its own extended right to your AD, Jim will have that new permission right away on the affected users. - Account Operators have Full Control over user objects, so they also have "All Extended Rights", so they are able to read users's confidential attributes. If this feature were implemented as a new access mask bit, it would have removed the first described drawback. Yours, Sakari =============================== From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 09, 2005 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL...... Excellent thanks ~Eric... This looks to be a good document. However, anyone else think this info on confidential attributes is a bit weak in the documentation Improved security to protect confidential attributes To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated. For more information about access to attributes, see "How Security Descriptors and Access Control Lists Work" on the Microsoft Web site <http://go.microsoft.com/fwlink/?LinkId=45972> at http://go.microsoft.com/fwlink/?LinkId=45972. The link takes you to a document from March 28, 2003 which I highly doubt has more info about confidential attributes. This is something that actually requires you to make changes to use, not like saying hey we also keep SID Histories in the tombstone objects now which doesn't take any action on the part of the admins.... ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, May 09, 2005 12:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL...... http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-46E2-B1B6-3659B92B2CDE&displaylang=en I didn't read it for completeness, but spot checked, and many are there. Though certainly not every one I'm sure. ~Eric List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
