Hello Edgar,
On 10/17/2012 10:21 AM, Edgar Olougouna wrote:
Matthieu,
There will be an update to MS-ADTS and I will communicate the change as soon as
the draft is ready.
However, the algorithm in MS-DRSR already covers the required processing.
Allowed RODC Password Replication Group and Denied RODC Password Replication
Group are by default added to attributes msDS-RevealOnDemandGroup and
msDS-NeverRevealGroup respectively during dcpromo, therefore there is no extra
processing needed, following the processing rules as documented in MS-DRSR
4.1.10.5.14 GetRevealSecretsPolicyForUser will get the right results. These
attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup) are maintained
by an administrator and implementations must not take a dependency on any
specifics of their contents. More information relating to these attributes can
be found in 6.1.1.3.2 MS-ADTS 6.1.1.3.2 Read-Only Domain Controller Object .
So if I read you right then it means that those groups are used only at
(rodc)dcpromo to populate the attributes that are used for checking in
MS-DRSR 4.1.10.5.14.
Did you verify this behavior ?
This article:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx,
seems to indicate that it's a constant check
" <javascript:void(0)>
Reviewing the accounts that are authenticated to an RODC
<javascript:void(0)>
------------------------------------------------------------------------
You should periodically review the accounts that have been authenticated
to an RODC. This information can help you plan updates that you intend
to make to the existing PRP. For example, you may want to review which
user and computer accounts have authenticated to an RODC so that you can
add those accounts to the Allowed List.
ImportantImportant
You will probably see more accounts in the *Accounts that have been
authenticated to this Read-only Domain Controller* list than will have
passwords cached. Although you may see accounts of writeable domain
controllers or members of the Domain Admins group in the list of
authenticated accounts, it does not necessarily indicate that those
accounts authenticated to the domain through the RODC. Instead, it means
that the RODC in one way or another verified the credentials of those
accounts. All default administrative accounts and domain controllers are
denied explicitly or through their membership from having their
passwords cached. If there are additional accounts that you want to make
sure are not cached, include them in the Deny list or make them members
of the Denied RODC Password Replication Group. The Deny list comprises
of the accounts that are specifically denied in the PRP from caching
their credentials on the RODC.
"
Thanks.
Matthieu
--
Matthieu Patou
Samba Team
http://samba.org
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol