You can mark certain attributes as confidential within a domain. The typical reason for doing so is to prevent unauthorized individuals from seeing the data marked as confidential. To mark an attribute as confidential, you use ADSI Edit and typically the ldifde tool.

Confidential attributes apply to all domain controllers, including RODCs.


Although you can use ADSI Edit to mark an attribute as confidential, the scenario described here illustrates the use of ldifde, which is typically used for bulk or scripted operations. To mark an attribute as confidential, first view the attribute in ADSI Edit. For example, Figure 5-1 shows the documentLocation object found at CN=documentLocation,CN=Schema,CN=Configuration.
Notice that the value for SearchFlags is 0x0, meaning that no flags are set for this attribute.

Implementing confidential attributes

FIGURE 5-1 The searchFlags attribute is set to 0x0.

Open a command prompt as Administrator and run the following command, again using documentLocation as the example and the domain:
ldifde -d “CN=documentLocation,CN=Schema,CN=Configuration,DC=adventure-works,DC=com” -f en_ldif -l searchflags
The ldifde command runs and produces a file in the current directory called en_ldif. The contents of that file look like the following:
dn: CN=documentLocation,CN=Schema,CN=Configuration,DC=adventure-works,DC=com
changetype: add
searchFlags: 0
Edit the file with a text editor such as Notepad. Set the changetype to modify, add the line replace: searchFlags, change the searchFlags value to 128, and add a – at the end. The final result looks like this:
dn: CN=documentLocation,CN=Schema,CN=Configuration,DC=adventure-works,DC=com
changetype: modify
replace: searchFlags
searchFlags: 128

Save that file as en-confidential.
Now import the file with the following command:
ldifde -i -f en-confidential
After this command completes, examine the searchFlag value through ADSI Edit again. Notice, as shown in Figure 5-2, that the value is now 0x80 (bitwise representation of 128), reflecting the change that you made.

Implementing confidential attributes

FIGURE 5-2 Marking documentLocation as Confidential, as seen through ADSI Edit.