RATiO Posted July 2, 2014 Share Posted July 2, 2014 Hi, Is it possible for regular domain users to read the descriptions from AD for other users/computers? I am thinking of storing some of our service account passwords in the AD description so want to check for security reasons. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 2, 2014 Veteran Share Posted July 2, 2014 Use a password management tool like keepass or password safe. This is not smart practice. Yes the users can see them as they have read access to active directory. http://keepass.info/ http://passwordsafe.sourceforge.net/ +LogicalApex 1 Share Link to comment Share on other sites More sharing options...
Praetor Posted July 3, 2014 Share Posted July 3, 2014 storing passwords in the description of the object is bad practice. Link to comment Share on other sites More sharing options...
RATiO Posted July 3, 2014 Author Share Posted July 3, 2014 Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD Link to comment Share on other sites More sharing options...
Joseph Zollo Posted July 3, 2014 Share Posted July 3, 2014 Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD To my knowledge, this is not possible. I would heed the advice you've been given here, it is not a smart idea to store unencrypted passwords in AD - use a password management tool like sc302 recommended, or something similar. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 3, 2014 Veteran Share Posted July 3, 2014 Can the permissions be modified so that domain users cannot read the description? I really would rather store the password in AD Sure it is no big deal to have them not read anything in active directory (all or nothing kind of thing). They won't be able to read their password database either to be able to sign on or, for that matter, be able to read their userid to see if they have the ability to logon to that domain. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted July 3, 2014 MVC Share Posted July 3, 2014 You want to store the passwords where - in the account description/comment? Yeah that would be very very very bad idea!! Anyone that could query the AD can view that information. Link to comment Share on other sites More sharing options...
RATiO Posted July 22, 2014 Author Share Posted July 22, 2014 Is there any attribute against the user that is hidden that I could store the password in? Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted July 22, 2014 MVC Share Posted July 22, 2014 Is there any attribute against the user that is hidden that I could store the password in? Why is this better than putting a password DB on a network share with reduced rights. Surely anyone capable of managing AD is capable of opening a KeePass DB. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 22, 2014 Veteran Share Posted July 22, 2014 Yes there is: keepass http://keepass.info/ passwordsafe http://passwordsafe.sourceforge.net/ If you are saying that I am being a jerk, we already went over this in prior posts. Link to comment Share on other sites More sharing options...
techbeck Posted July 22, 2014 Share Posted July 22, 2014 I am thinking of storing some of our service account passwords in the AD description so want to check for security reasons. Yea, storing passwords with the user accounts or out in the open like that is a big no no. If you ever get audited, the auditors will ding you pretty good for storing passwords like that. Agree with others...use a program/system to securely store the pswrds. Link to comment Share on other sites More sharing options...
Recommended Posts