Jump to content



Photo

Active Directory descriptions


  • Please log in to reply
10 replies to this topic

#1 RATiO

RATiO

    Neowinian

  • Joined: 25-February 06
  • Location: England, UK
  • OS: Windows 7/8, Android

Posted 02 July 2014 - 19:16

Hi,

 

Is it possible for regular domain users to read the descriptions from AD for other users/computers?

 

I am thinking of storing some of our service account passwords in the AD description so want to check for security reasons.




#2 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 02 July 2014 - 19:49

Use a password management tool like keepass or password safe.  This is not smart practice.  Yes the users can see them as they have read access to active directory.  

http://keepass.info/

http://passwordsafe.sourceforge.net/



#3 Praetor

Praetor

    ASCii / ANSi Designer

  • Tech Issues Solved: 4
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 03 July 2014 - 00:06

storing passwords in the description of the object is bad practice.



#4 OP RATiO

RATiO

    Neowinian

  • Joined: 25-February 06
  • Location: England, UK
  • OS: Windows 7/8, Android

Posted 03 July 2014 - 16:59

Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD

#5 JZolloXP

JZolloXP

    Neowinian Senior

  • Joined: 29-October 01
  • OS: Windows 7 x64

Posted 03 July 2014 - 17:34

Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD

To my knowledge, this is not possible.

 

I would heed the advice you've been given here, it is not a smart idea to store unencrypted passwords in AD - use a password management tool like sc302 recommended, or something similar.



#6 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 03 July 2014 - 18:41

Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD

Sure it is no big deal to have them not read anything in active directory (all or nothing kind of thing).  They won't be able to read their password database either to be able to sign on or, for that matter, be able to read their userid to see if they have the ability to logon to that domain.



#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 18:42

You want to store the passwords where - in the account description/comment?

Yeah that would be very very very bad idea!! Anyone that could query the AD can view that information.

description.png

#8 OP RATiO

RATiO

    Neowinian

  • Joined: 25-February 06
  • Location: England, UK
  • OS: Windows 7/8, Android

Posted 22 July 2014 - 17:28

Is there any attribute against the user that is hidden that I could store the password in?



#9 +LogicalApex

LogicalApex

    Software Engineer

  • Tech Issues Solved: 8
  • Joined: 14-August 02
  • Location: Philadelphia, PA
  • OS: Windows 7 Ultimate x64
  • Phone: Nexus 5

Posted 22 July 2014 - 17:45

Is there any attribute against the user that is hidden that I could store the password in?


Why is this better than putting a password DB on a network share with reduced rights. Surely anyone capable of managing AD is capable of opening a KeePass DB.

#10 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 22 July 2014 - 18:08

Yes there is:

 

keepass http://keepass.info/

passwordsafe http://passwordsafe.sourceforge.net/

 

If you are saying that I am being a jerk, we already went over this in prior posts.



#11 +techbeck

techbeck

    Neowinian Senior

  • Tech Issues Solved: 9
  • Joined: 20-January 05

Posted 22 July 2014 - 18:24


I am thinking of storing some of our service account passwords in the AD description so want to check for security reasons.

 

Yea, storing passwords with the user accounts or out in the open like that is a big no no.  If you ever get audited, the auditors will ding you pretty good for storing passwords like that.

 

Agree with others...use a program/system to securely store the pswrds.