Confidential bit follow-up

Reading Time: < 1 minute

After my previous post about confidential bit I received great feedback through blog comment system (Thanks Jorge and Lee) and in off-line conversation on newsgroup. I’ve decided to gather this additional information in next post as an update to my original one.
First of all when You want to use confidential bit for some attribute You have to remember that this will work only with Windows 2003 SP1 DCs and higher. So If You want to use it, and You want to make your changes effective schema FSMO has to be Windows 2003 SP1 or higher. The best situation is when all Your DCs are Windows 2003 SP1 or higher.
Another thing You have to be aware of – some default permissions on AD objects allows some groups to read attributes with confidential bit set, these groups includes:

  • Administrators
  • Account operators
  • any other security principal with Full control permission for an object.

In general, to read such attribute one has to have a READ_PROPERTY and CONTROL_ACCESS permissions, which of course are included in Full control. Lee Flight pointed us that there is a bug in dsacls.exe which prevents using this tool to set ca permission on the object – I hope this will be fixed in short time, probably not on the R2 time frame. Till this time we can still use LDP.EXE version which comes on Windows 2003 R2 CD (R2 is on it’s way).

One last thing, as Jorge pointed this bit cann’t be set for base-schema attributes which can be identified by searching for attribute with LDP.Exe testing searchFlags attribute with AND statement (again) again 0x10 (16 in decimal) value:


Many thanks goes to all guys who made a comments about this.