Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #1 
Is there a field in AD to capture a date without updating schema? Domain and Forest Functional Level are both Windows Server 2008. 


0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 375
Reply with quote  #2 
Hmmm. Can you be more specific on what you're *really* trying to achieve?
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #3 
I want to be identify a field in AD that we can use for dates.  Specifically we are looking to include hire dates for user accounts.
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 375
Reply with quote  #4 
Just use a text field and store the date in a consistent format.
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #5 
Be aware that many companies (and people) would consider this privacy sensitive information, which should not be stored in AD because that information is readable by all Domain Users. 
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #6 
That's a good point and I agree with you.  It seems like one can deduce age from hire date which would be PII.

The business folks want hire date posted for employee profiles on our intranet site (which syncs to AD). 

I think instead of putting hire date in AD, we are going to extract hire date from our HR/CMS system and upload to intranet. 
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 375
Reply with quote  #7 
Wouldn’t everyone be able to see that info on the Intranet then? If it‘s OK to disclose it to other staff members in the first place then you can sync it to wherever you like...
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 482
Reply with quote  #8 
Quote:
Originally Posted by wkasdo
Be aware that many companies (and people) would consider this privacy sensitive information, which should not be stored in AD because that information is readable by all Domain Users. 


But you can restrict AD Attributes that will override the default READ correct?  Like EMP ID #'s  They are hidden unless you have the correct Security Group to see them.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #9 
Quote:
Originally Posted by cj_berlin
Wouldn’t everyone be able to see that info on the Intranet then? If it‘s OK to disclose it to other staff members in the first place then you can sync it to wherever you like...



The rationale is that AD is an authoritative resource - not an HR system.  AD authenticates and authorizes users and computers on the network.  Hire Date is part of HR. 

What we decided to do is get tan extract of hire date (and email address). Email is primary key. 
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #10 
Quote:
Originally Posted by jsclmedave


But you can restrict AD Attributes that will override the default READ correct?  Like EMP ID #'s  They are hidden unless you have the correct Security Group to see them.



Hey Tim, 

I like your signature - specifically the email address.  I did put it in Poweshell ISE and was able to see your email address.

I'm trying to create my email address.  How would I go about doing that?  What do the numbers in single quotes?
0
jsclmedave

Administrator
Registered:
Posts: 482
Reply with quote  #11 
Its posted here somewhere.  Look for obfuscated email.
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #12 
Thanks @jsclmedave!  I found the thread and I successfully converted my email address!  Now I can update my signature. :-)
0
Matthew

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #13 

Quote:
Originally Posted by meloao



The rationale is that AD is an authoritative resource - not an HR system.  AD authenticates and authorizes users and computers on the network.  Hire Date is part of HR. 

What we decided to do is get tan extract of hire date (and email address). Email is primary key. 

 

Interesting that you see AD as the authoritative source for when someone was hired.  AD can tell you when the AD user account was created, but not when they are hired. 

Looking at this from a FIM/MIM (identity management) perspective, HR should be looked at as the authoritative source for key ID information.  name, hire date, termination, title, manager, department etc. 

As others have said, I wouldn't expose hire date data my self.  I would fight that.  There really isn't any need for people to know how long someone has been floating around a company. 

0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.