Unsolved Is it possible to store encrypted data in Active Directory?

---

Wondering to know if it's possible to add a new attribute into the user class in order to store encrypted data there? is it possible?

@andrei-acuna-arias,

Yes, it's possible but it may not be something you want to and it does it seem to recommended by admins from what I'm reading. Let's start with "why not?"

• If you're storing PII, it is not recommended to do in AD.
• If you're thinking of trying to encrypt non-custom attributes...not really possible. So you'd have to create a custom attribute and that means extending the schema.
• Check with the industry regulations in your country of what types of information you must keep protected and separated (e.g. In US, we must check with HIPPA or Sorbane-Oxley, etc.. check with Compliance officer before doing something with PII)
• If you believe this action is temporary, once you create a custom attribute, it will be permanent, you can disable but not destroy if you don't need it.

Okay, so why don't admins recommend it?

• it's possibly complex and can be messed up.
• In older ADs, you may see that it allows for storage of the encrypted value but doesn't manage the encryption...so you'll have to do this separately.
• Here's an overview of how you might use it (2012): http://www.itprotoday.com/management-mobility/using-confidentiality-bit-hide-data-active-directory
• Here's another way you can see it (2005): https://dirteam.com/tomek/2005/11/21/confidential-bit/