Re: MS Active Directory and FERPA

[Bradley Ellis <Bradley.Ellis () ITS MONASH EDU AU>]

Hi,

> I've been wrestling with this issue as well.  We've held back
> from populating a semi-sensitive user attribute in our AD
> because the default permissions allow "authenticated users"
> to read a great number of user attributes, including the one
> we'd like to populate.  We looked into modifying the default
> ACL's on all user objects but we have long-term performance
> and support concerns about replacing one "Read All
> Properties" DACL with potentially 250+ DACLS on every user
> object just to be able to restrict one attribute.

You could go down the "Deny Access" Path - As is MS Land,
Deny's take precedence over Allows.

        Eg. Use the Users Group (or some other custom group)
        and Deny them read access to the sensitive attribute(s).

Any Account that you want to have access to the Sensitive
Attribute must not be a member of the Users Group (or other
custom group) as the Deny will overwrite the Allow.

Hopefully this should also be fairly easy to manage
in your account creation procedures and easy to audit.

Cheers,
Brad.
--
Bradley Ellis
Senior IT Security Officer, Infrastructure Services
Information Technology Services, Monash University - Clayton