RE: [ActiveDir] hiding a field from global catalog

[Gasper, Rick]

I understand where you are coming from, but that doesn’t quite get what I need.   If I can hide a couple of fields that are available from the global catalog and give permissions to the people who need to view them, it makes my life a whole lot easier.   For example: we have a student ID number that is used for a lot of different things. If I populate AD with that number, and a student gets some one else’s, it will cause all kinds of grief. But IF I could make that number available to select users, then we reduce a lot of help desk calls. AD>Email is a natural place for it.   Another example, I put a up a password reset page, I need something that will uniquely ID the students, I can query the field and verify the student is who they say they are. IT is part of FERPA, but it more as a safeguard against ID theaft.     Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog   Well, the problem with only hiding the GAL is that information still exists if anyone does an ldap query. Since I don’t have an answer to your question, I will just tell you what we are doing.   If a student elects to exercise either FERPA or the Buckley amendment, there name is nowhere in active directory. We use a different field to uniquely identify them (such as a social security number---now we don’t actually use the SS, that is just an example….something that should only be known by them). Then we create a generic username for them, such as user1 (which is off course cross referenced with the unique identifier). We also hide the user totally from the GAL, not just specific fields. This makes them totally anonymous (the purpose of FERPA) unless someone has access to records containing the unique identifying, in which case, you have still upheld your commitment because you didn’t give the person access to that information. Does this make sense?       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog   That is part of it…   Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog   Rick,               Would this happen to be for compliance to FERPA?     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] hiding a field from global catalog     HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example)   I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didn’t seem to work.     TIA,   Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]