Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-12-19) Finding Attributes Marked As Confidential

Posted by Jorge on 2014-12-19


When an attribute is defined with the bit 2^7 (=128) in the searchFlags property, the attribute is marked as confidential. It can only be read by security principals with at least "Allow:Read" and "Allow:Control Access". This prevents "Authenticated Users" from reading the content of the attribute. Because of that, this bit enables you to hide sensitive data in attributes. Remember that the main purpose of this, is to be applied to new/custom attributeSchema definitions. All base schema attributes cannot be configured for confidentially as it would break the system.

ADFIND

ADFIND -h RFSRWDC1.ADCORP.LAB -schema -f "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))" -dn

OR

ADFIND -h RFSRWDC1.ADCORP.LAB -bit -schema -f "(&(objectClass=attributeSchema)(searchFlags:AND:=128))" -dn

OR

ADFIND -sc CONFIDENTIAL -dn (sorted output: ADFIND -sc CONFIDENTIALL -dn)

image

Figure 1: Example Output

AD PoSH Module

Get-ADObject -Server RFSRWDC1.ADCORP.LAB -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))" | %{$_.DistinguishedName}

ADSI Through PoSH

$targetDC = "RFSRWDC1.ADCORP.LAB"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))"
$search.FindAll() | %{$_.Properties.distinguishedname}

PS: replace the FQDN of the DC with your info

PS: the opposite of this query can be found by replacing (searchFlags:1.2.840.113556.1.4.803:=128) with (!(searchFlags:1.2.840.113556.1.4.803:=128))

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2014-12-19) Finding Attributes Marked As Confidential”

  1. joe said

    adfind -hh thr-dc1 -sc confidentiall

  2. joe said

    adfind -sc confidentiall

  3. […] that have been configured with the confidentiality bit. To find those attributeClasses, read the (2014-12-19) Finding Attributes Marked As Confidential. Now choose an attribute you like, and configure it with the “Control Access” extended right […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: