1

I am currently working on scripting some of our access at work and would love an easy way to enter and retrieve the last 4 of a user's social sec number. It's the primary way we identify people that call. Currently we have to log in and search through our HR application which is pretty cumbersome to use and adds time to a call. Chances of me getting management/senior engineers to approve of and extend the schema are almost nil. I was thinking of writing this number to the employeeNumber attribute but unsure if there are any unseen consequences in doing so. Apparently someone at our old helpdesk started entering this info into the 'telephones' tab in AD which can be seen through Outlook-global catalogue...managmeent was not too happy.

Is this a decent idea with what I have to work with? or?...

soMuch2Learn
  • 333
  • 1
  • 6
  • 16

2 Answers2

4

The employeeNumber field while not viewable via the GUI is still able to be queried by anyone with read access to AD if I'm not mistaken. It may take more effort than "Outlook" though.

But honestly...it's the last 4 of the SSN...so I think your approach, if management is fine with it, is good enough.

Just make sure you don't care about an actual employee ID number in the future being stored there. But yeah, it's not something that will mess up something else if you arbitrarily pick a number to store there.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • 1
    Thanks @TheCleaner . We do have schema extended for EmployeeID currently and those that have access to AD, have it to the HR database where we currently retrieve the last 4. Thanks for the feedback. – soMuch2Learn Mar 12 '14 at 04:54
3

The default, out of the box schema already contains both an employeeNumber and an employeeID attribute...

Reading the attributes:

PS H:\> Get-ADUser jbob -Properties EmployeeId,EmployeeNumber

DistinguishedName : CN=JoeBob,OU=Users,OU=Bros,DC=contoso,DC=com 
EmployeeID        : A1B2C3 
EmployeeNumber    : 1234556 
Enabled           : True 
GivenName         : Joe 
Name              : JoeBob 
ObjectClass       : user 
ObjectGUID        : be0e26f8-194a-4e64-bd88-e8fe31ead255 
SamAccountName    : jbob 
SID               : S-1-5-21-2495528697-4433204477-8833759600-13738 
UserPrincipalName : jbob@contoso.com

Setting the attributes:

PS H:\> Set-ADUser jbob -EmployeeId $NewEmpId

I'd be really careful about storing even the last 4 of the employee's SSN in Active Directory. By default, this information will be readable by all authenticated users. And I personally would consider even the last 4 digits of other people's social security numbers to be worthy of more confidentiality than that.

If you're going to do this, I would at least recommend marking the attribute as confidential by modifying the searchFlags attribute: http://support.microsoft.com/kb/922836

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • 1
    Especially since other parts of their social security number can often be guessed by knowing when and where they got their SSN. – Grant Mar 12 '14 at 12:33