Brian's idea is more secure since you're putting custom data into the domain information. Which begs the question: does it provide enough additional security to justify the administrative overhead associated with adding an additional service onto the domain controllers? vs. using existing SID info? Thoughts?
Shawn, I thought about whole local vs. domain admin thing. If it decrypts for someone with local admin rights then anyone with admin access to their own machine (which would have to be a member of the domain in question) could decrypt the data. IMO, it's better to require domain admin access. It's a lot harder to come by. The security benefits outweigh the cost of not being able to give domain maintenance scripts to local admins.
_________________________
Stevie
