Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #1 
Is there a field in AD to capture a date without updating schema? Domain and Forest Functional Level are both Windows Server 2008. 


0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 406
Reply with quote  #2 
Hmmm. Can you be more specific on what you're *really* trying to achieve?
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #3 
I want to be identify a field in AD that we can use for dates.  Specifically we are looking to include hire dates for user accounts.
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 406
Reply with quote  #4 
Just use a text field and store the date in a consistent format.
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #5 
Be aware that many companies (and people) would consider this privacy sensitive information, which should not be stored in AD because that information is readable by all Domain Users. 
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #6 
That's a good point and I agree with you.  It seems like one can deduce age from hire date which would be PII.

The business folks want hire date posted for employee profiles on our intranet site (which syncs to AD). 

I think instead of putting hire date in AD, we are going to extract hire date from our HR/CMS system and upload to intranet. 
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 406
Reply with quote  #7 
Wouldn’t everyone be able to see that info on the Intranet then? If it‘s OK to disclose it to other staff members in the first place then you can sync it to wherever you like...
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 495
Reply with quote  #8 
Quote:
Originally Posted by wkasdo
Be aware that many companies (and people) would consider this privacy sensitive information, which should not be stored in AD because that information is readable by all Domain Users. 


But you can restrict AD Attributes that will override the default READ correct?  Like EMP ID #'s  They are hidden unless you have the correct Security Group to see them.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #9 
Quote:
Originally Posted by cj_berlin
Wouldn’t everyone be able to see that info on the Intranet then? If it‘s OK to disclose it to other staff members in the first place then you can sync it to wherever you like...



The rationale is that AD is an authoritative resource - not an HR system.  AD authenticates and authorizes users and computers on the network.  Hire Date is part of HR. 

What we decided to do is get tan extract of hire date (and email address). Email is primary key. 
0
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #10 
Quote:
Originally Posted by jsclmedave


But you can restrict AD Attributes that will override the default READ correct?  Like EMP ID #'s  They are hidden unless you have the correct Security Group to see them.



Hey Tim, 

I like your signature - specifically the email address.  I did put it in Poweshell ISE and was able to see your email address.

I'm trying to create my email address.  How would I go about doing that?  What do the numbers in single quotes?
0
jsclmedave

Administrator
Registered:
Posts: 495
Reply with quote  #11 
Its posted here somewhere.  Look for obfuscated email.
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #12 
Thanks @jsclmedave!  I found the thread and I successfully converted my email address!  Now I can update my signature. :-)
0
Matthew

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #13 

Quote:
Originally Posted by meloao



The rationale is that AD is an authoritative resource - not an HR system.  AD authenticates and authorizes users and computers on the network.  Hire Date is part of HR. 

What we decided to do is get tan extract of hire date (and email address). Email is primary key. 

 

Interesting that you see AD as the authoritative source for when someone was hired.  AD can tell you when the AD user account was created, but not when they are hired. 

Looking at this from a FIM/MIM (identity management) perspective, HR should be looked at as the authoritative source for key ID information.  name, hire date, termination, title, manager, department etc. 

As others have said, I wouldn't expose hire date data my self.  I would fight that.  There really isn't any need for people to know how long someone has been floating around a company. 

0
jsclmedave

Administrator
Registered:
Posts: 495
Reply with quote  #14 
Quote:
Originally Posted by Matthew

 

 

Interesting that you see AD as the authoritative source for when someone was hired.  AD can tell you when the AD user account was created, but not when they are hired. 

Looking at this from a FIM/MIM (identity management) perspective, HR should be looked at as the authoritative source for key ID information.  name, hire date, termination, title, manager, department etc. 

As others have said, I wouldn't expose hire date data my self.  I would fight that.  There really isn't any need for people to know how long someone has been floating around a company. 



Many times HR will update AD, every night in our case, and when they bring someone on in their system AD will create the account.  So in "some" cases this is accurate.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
meloao

Senior Member
Registered:
Posts: 109
Reply with quote  #15 
Our AD user accounts are created/updated based on HR data.  Our cloud application authenticates to AD using SSO.  Therefore AD is the authoritative source for the application.

Likewise, HR is the authoritative source for AD. 
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.