0

We have to have an attribute in Active Directory to store a user's default password to pass this information to user creation tools (Google Cloud Directory Sync, etc.) so that their password is set at initial creation. I created a custom attribute in AD to store this information.

By default every user in the domain can view this attribute if they look hard enough. I tried to "Deny" the read/write settings of this attribute to the "Everyone" group but then even Domain Admins (me...) could not read or modify it.

How can I attempt to secure this field? Is it possible? I understand this is against the core concept of a "directory" but this is my situation...

zsheppard
  • 39
  • 2
  • 5
  • 2
    `We have to have an attribute in Active Directory to store a user's default password to pass this information to user creation tools (Google Cloud Directory Sync, etc.) so that their password is set at initial creation.` - What? Why would you do this? This sounds like a pretty bad idea to me. If you need their on premises passwords synced to G Suite why don't you use G Suite Password Sync? Maybe you can give us details on exactly what you're trying to accomplish. – joeqwerty Mar 14 '18 at 14:18
  • A limitation of GCDS is that the user's initial password on user creation must be an attribute in Active Directory or a static password for each new user. I didn't design it, just trying to make it work... @joeqwerty – zsheppard Mar 15 '18 at 14:54

1 Answers1

1

This is arguably a duplicate of Where do I store sensitive data within Active Directory?

The gist is that you need to create an attribute and mark it as Confidential.

Kevin Colby
  • 1,760
  • 10
  • 14