Sign in to follow this  
Followers 0
RATiO

Active Directory descriptions

11 posts in this topic

Hi,

 

Is it possible for regular domain users to read the descriptions from AD for other users/computers?

 

I am thinking of storing some of our service account passwords in the AD description so want to check for security reasons.

Share this post


Link to post
Share on other sites

storing passwords in the description of the object is bad practice.

Share this post


Link to post
Share on other sites

Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD

Share this post


Link to post
Share on other sites

Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD

To my knowledge, this is not possible.

 

I would heed the advice you've been given here, it is not a smart idea to store unencrypted passwords in AD - use a password management tool like sc302 recommended, or something similar.

Share this post


Link to post
Share on other sites

Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD

Sure it is no big deal to have them not read anything in active directory (all or nothing kind of thing).  They won't be able to read their password database either to be able to sign on or, for that matter, be able to read their userid to see if they have the ability to logon to that domain.

Share this post


Link to post
Share on other sites

You want to store the passwords where - in the account description/comment?

Yeah that would be very very very bad idea!! Anyone that could query the AD can view that information.

post-14624-0-78764500-1404412950.png

Share this post


Link to post
Share on other sites

Is there any attribute against the user that is hidden that I could store the password in?

Share this post


Link to post
Share on other sites

Is there any attribute against the user that is hidden that I could store the password in?

Why is this better than putting a password DB on a network share with reduced rights. Surely anyone capable of managing AD is capable of opening a KeePass DB.

Share this post


Link to post
Share on other sites

I am thinking of storing some of our service account passwords in the AD description so want to check for security reasons.

 

Yea, storing passwords with the user accounts or out in the open like that is a big no no.  If you ever get audited, the auditors will ding you pretty good for storing passwords like that.

 

Agree with others...use a program/system to securely store the pswrds.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.