?
Solved

Hiding user information in Active Directory

Posted on 2014-10-07
4
Medium Priority
?
113 Views
Last Modified: 2014-10-14
I have a complex issue I need help resolving.  I have multi-domain organization with an account domain that has all the users (30,000) within that domain.  A 3rd party company is requesting we place a r/w DC in their data-center to access a Citrix application.  The problem is that this domain consists of multiple law enforcement agencies and we need to hide personal data not allowing non-law enforcement to be able to view their personal information.  The law enforcement personnel are very concerned with non-law enforcement having access to personal data.  I need to get this done in the most efficient way.

If you need more information please let me know.
0
Comment
Question by:Jim Wobig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 40367095
Definitely a complex issue and understandable request.    You can take advantage of the Filtered Attribute Set with the RODC.   You will need to make sure to test this and make sure you are filtering exactly what you want.  You can search for RODC and Filtered Attribute Set but some decent links:

http://technet.microsoft.com/en-us/library/cc753459%28v=ws.10%29.aspx

http://www.frickelsoft.net/blog/?p=202

http://blogs.msdn.com/b/canberrapfe/archive/2011/07/08/adding-attributes-to-the-rodc-filtered-attribute-set.aspx

Thanks

Mike
0
 

Author Comment

by:Jim Wobig
ID: 40367118
Thanks for the response Mike.  The company that is hosting the Citrix application is telling us RODC is not an option.  They also wont let us authenticate over the WAN and claim that it causes them to reboot their servers daily.

Thanks again,

Jim
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40367331
Then obviously this 3rd party is not for your organization, either do it in house or find someone else.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 40367404
That is fine, you can hide with r/w DCs too.  Guido (DS MVP) has a great series on this

http://windowsitpro.com/active-directory/hiding-active-directory-objects-and-attributes

Other three parts are also there.  Again same as before...test test test.  

Thanks

Mike
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question