You can mark certain attributes as confidential within a domain. The typical reason for doing so is to prevent unauthorized individuals from seeing the data marked as confidential. To mark an attribute as confidential, you use ADSI Edit and typically the ldifde tool.
NOTE: CONFIDENTIAL ATTRIBUTES
Confidential attributes apply to all domain controllers, including RODCs.
Although you can use ADSI Edit to mark an attribute as confidential, the scenario described here illustrates the use of ldifde, which is typically used for bulk or scripted operations. To mark an attribute as confidential, first view the attribute in ADSI Edit. For example, Figure 5-1 shows the documentLocation object found at CN=documentLocation,CN=Schema,CN=Configuration.
Notice that the value for SearchFlags is 0x0, meaning that no flags are set for this attribute.
FIGURE 5-1 The searchFlags attribute is set to 0x0.
Open a command prompt as Administrator and run the following command, again using documentLocation as the example and the adventure-works.com domain:
ldifde -d “CN=documentLocation,CN=Schema,CN=Configuration,DC=adventure-works,DC=com” -f en_ldif -l searchflags
The ldifde command runs and produces a file in the current directory called en_ldif. The contents of that file look like the following:
Edit the file with a text editor such as Notepad. Set the changetype to modify, add the line replace: searchFlags, change the searchFlags value to 128, and add a – at the end. The final result looks like this:
Save that file as en-confidential.
Now import the file with the following command:
ldifde -i -f en-confidential
After this command completes, examine the searchFlag value through ADSI Edit again. Notice, as shown in Figure 5-2, that the value is now 0x80 (bitwise representation of 128), reflecting the change that you made.
FIGURE 5-2 Marking documentLocation as Confidential, as seen through ADSI Edit.