Wondering to know if it's possible to add a new attribute into the user class in order to store encrypted data there? is it possible?
Is it possible to store encrypted data in Active Directory?
Yes, it's possible but it may not be something you want to and it does it seem to recommended by admins from what I'm reading. Let's start with "why not?"
- If you're storing PII, it is not recommended to do in AD.
- If you're thinking of trying to encrypt non-custom attributes...not really possible. So you'd have to create a custom attribute and that means extending the schema.
- Check with the industry regulations in your country of what types of information you must keep protected and separated (e.g. In US, we must check with HIPPA or Sorbane-Oxley, etc.. check with Compliance officer before doing something with PII)
- If you believe this action is temporary, once you create a custom attribute, it will be permanent, you can disable but not destroy if you don't need it.
Okay, so why don't admins recommend it?
- it's possibly complex and can be messed up.
- In older ADs, you may see that it allows for storage of the encrypted value but doesn't manage the encryption...so you'll have to do this separately.
- Here's an overview of how you might use it (2012): http://www.itprotoday.com/management-mobility/using-confidentiality-bit-hide-data-active-directory
- Here's another way you can see it (2005): https://dirteam.com/tomek/2005/11/21/confidential-bit/