[cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Jeff McCashland (He/him) jeffm at microsoft.com
Tue Dec 5 19:48:42 UTC 2023 

Hi Joseph,

In studying [MS-ADTS], I believe that initialization and updating of msDS-ManagedPasswordId is already documented in section 3.1.1.4.5.39 msDS-ManagedPassword, where this algorithm is described: 

Define function GetgMSAPasswordBlob(TO: OBJECT), which returns an msDS-ManagedPassword BLOB structure (section 2.2.19) as follows using integer arithmetic where divisions are rounded down without a remainder.

The initialization occurs in step 5 where a new password and key id is created if msDS-ManagedPasswordId does not previously exist (or if the password interval is expired): 
5.	If TO!msDS-ManagedPasswordId does not exist or CurrentKeyExpirationTime is less than the current time, then:

Steps 5.7, 6.5, and 7.5 all describe creating new keys and returning the old password/key as the Previous values: 

	5.	Call MarshalPassword() where:
		§	Current_Password contains NewPassword.
		§	Previous_Password contains OldPassword.

Do you disagree? Is this clear enough? 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Monday, December 4, 2023 9:52 AM
To: Joseph Sutton <jsutton at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: RE: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Hi Joseph, 

That is my understanding, yes. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Sunday, December 3, 2023 8:12 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Thank you. For clarification, does regenerating the passwords here involve updating the account's msDS-ManagedPasswordId attribute? and msDS-ManagedPasswordPreviousId, too?

Regards,
Joseph

On 2/12/23 11:40 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> It appears that when the passwords are accessed, the interval is checked and the passwords are then regenerated if they have expired.
> 
> Please let me know if this does not answer your question.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C37acc21f856446162c7908dbf47f3e15%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638372599591299741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=5vcRpgLQ5O2lxfVzej2q7BNNmoPyS%2FExhf0Tb83xDn8%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Wednesday, November 29, 2023 1:52 PM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; 
> cifs-protocol at lists.samba.org
> Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> Hi,
> 
> Thank you for those links. So much of the format of these attributes I had inferred from reading [MS-GKDI]: what I cannot find in either article are details on how the attributes' values are first set and then periodically updated.
> 
> If I were to create a Group Managed Service Account right now and 
> examined its msDS-ManagedPasswordId attribute, I might see a key index 
> of (362, 0, 27). Say the interval after which the managed password was 
> to be automatically changed was set to one day. If I were to examine 
> the same attribute tomorrow, I might then see the key index had 
> changed to (362, 0, 29). Furthermore, I might see that the 
> msDS-ManagedPasswordPreviousId attribute (which had previously been
> empty) had been assigned the previous day's key index (362, 0, 27).
> 
> Evidently the values of these attributes must periodically be updated by some method in order for the managed password protocol to work. My question is: by what procedure should this be done?
> 
> Regards,
> Joseph
> 
> On 30/11/23 7:34 am, Jeff McCashland (He/him) wrote:
>> Hi Joseph,
>>
>> I found a couple of online resources that appear to describe how to 
>> generate the msDS-ManagedPasswordId attribute:
>>
>> Introducing the Golden GMSA Attack
>>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsec
>> u%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913071
>> 21%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nRxPdRWhU%2F9ynyy1FSQ%
>> 2FuS19gQnQApcCvl%2FdiTTiTls%3D&reserved=0
>> rityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F
>> &
>> data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257d
>> f
>> 4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588042290%7CU
>> n
>> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
>> W
>> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LelSmrZuPGbzFBjMPsU87KSIynavAF
>> 7
>> ViQQy%2BYpgRjM%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fse
>> c%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913122
>> 46%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9%2BOwMqPOo12Wu2SBVJ%2
>> BVQQC76SYnzFuIXmBH8QKdDaw%3D&reserved=0
>> urityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2
>> F
>> &data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257
>> d
>> f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588051293%7C
>> U
>> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
>> a
>> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvoqNwoVEgry05Bry2zat0O9bU0q1
>> D
>> XX2gepx9mPq5s%3D&reserved=0>
>>
>> How to recover from a Golden gMSA attack
>>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
>> r%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913161
>> 71%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k87u0MoTufLMFECk29jmQW
>> U9Rd%2FeXZHIJKLBH9T9GTg%3D&reserved=0
>> n.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-sec
>> u
>> rity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microso
>> f
>> t.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd0
>> 1
>> 1db47%7C1%7C0%7C638368915588057505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
>> 4
>> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%
>> 7
>> C&sdata=EuZEsNrVHjjxjlVUWTu5sVgTT%2B1pxit6PEoLNZ%2FimQ0%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fle
>> a%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913199
>> 44%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=injsryUSGV4%2FzA%2BPH9
>> QDr3GW7QDAfbqXxForHbYPmg8%3D&reserved=0
>> rn.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-se
>> c
>> urity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40micros
>> o
>> ft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd
>> 0
>> 11db47%7C1%7C0%7C638368915588063990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
>> C
>> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C
>> %
>> 7C&sdata=U%2BvJ0ARvX3KPmwFSTKu01Os0ZYDnJTcJHNtZ%2B5Q60Z4%3D&reserved=
>> 0
>>>
>>
>> Please let me know if these help any.
>>
>> Best regards,*
>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/
>> | Microsoft/****Protocol Open Specifications Team*
>>
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada)
>>
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913236
>> 78%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FAn5x%2Bz7nwtW5csx0txd
>> glqSv2syrVrB9GCNY%2BkB6Dc%3D&reserved=0
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %
>> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
>> %
>> 7C1%7C0%7C638368915588070730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> M
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> t
>> a=XJrBgpkrtwDdro9AT80LIeu6BoPipaYnQHhSlVuVD3g%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913274
>> 62%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=83ZmAa2HUHwhl%2F5nSdMM
>> qF7dbiMJjiQGENM6QHgVIlQ%3D&reserved=0
>> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.co
>> m
>> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db4
>> 7
>> %7C1%7C0%7C638368915588074945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>> w
>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
>> a ta=LWTGmIq753PjwViRiluqkK80fD7FGK%2F017N6uIODCoc%3D&reserved=0> | 
>> Extension 1138300
>>
>> *From:*Jeff McCashland (He/him)
>> *Sent:* Tuesday, November 28, 2023 8:28 AM
>> *To:* Joseph Sutton <jsutton at samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com>; 
>> cifs-protocol at lists.samba.org
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> [try again- Kristian to BCC
>>
>> *From:*Jeff McCashland (He/him)
>> *Sent:* Tuesday, November 28, 2023 8:27 AM
>> *To:* Kristian Smith <Kristian.Smith at microsoft.com 
>> <mailto:Kristian.Smith at microsoft.com>>; Joseph Sutton 
>> <jsutton at samba.org <mailto:jsutton at samba.org>>; 
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com 
>> <mailto:supportmail at microsoft.com>>
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> [Kristian to BCC]
>>
>> Hi Joseph,
>>
>> I will look into your question and let you know what I find.
>>
>> Best regards,*
>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/
>> | Microsoft/****Protocol Open Specifications Team*
>>
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada)
>>
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913311
>> 97%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BIINIqVtLHi3Boe5B8t3
>> N0Fd%2FBO8T7pgsq0%2FCaQHrGc%3D&reserved=0
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %
>> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
>> %
>> 7C1%7C0%7C638368915588078943%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> M
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> t
>> a=tkxE0x8I%2B04b8YNTpQSyEY12gn7j84cNLaeDAc1ocwE%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913349
>> 40%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kkcEkaeOqS3Jq0VOp2QYKO
>> s9v4ITW5FTGyzCy6P6qIw%3D&reserved=0
>> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.co
>> m
>> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db4
>> 7
>> %7C1%7C0%7C638368915588082884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>> w
>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
>> a ta=ZsqOTIBuuVFdcqTuia8meW%2BrE9Fgx4tkLT2G3le%2BUdA%3D&reserved=0> | 
>> Extension 1138300
>>
>> *From:*Kristian Smith <Kristian.Smith at microsoft.com 
>> <mailto:Kristian.Smith at microsoft.com>>
>> *Sent:* Monday, November 27, 2023 6:39 PM
>> *To:* Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>; 
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com 
>> <mailto:supportmail at microsoft.com>>
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> [DocHelp to Bcc]
>>
>> [Case mail to Cc]
>>
>> Hi Joseph,
>>
>> Thank you for your request. The case number 2311280040000920 has been 
>> created for this inquiry. One of our team members will follow up with 
>> you soon.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Azure DevOps, Windows Protocols | 
>> Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com 
>> <mailto:kristian.smith at microsoft.com>
>>
>> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday
>>
>> *Team Manager*: Gary Ranne garyra at microsoft.com 
>> <mailto:garyra at microsoft.com>
>>
>> *ServiceHub*:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fser
>> v%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913386
>> 72%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gxKesolna5%2FUxxvV2Dpe
>> uDX16CM9ouRDBwgTM7Tvfrc%3D&reserved=0
>> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeff
>> m
>> %40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141a
>> f
>> 91ab2d7cd011db47%7C1%7C0%7C638368915588086793%7CUnknown%7CTWFpbGZsb3d
>> 8
>> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
>> 3
>> 000%7C%7C%7C&sdata=dEauc2KQK4aFU651P9jTIflUtc%2FNo2xOEbtxm0ptVA0%3D&r
>> e
>> served=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fse
>> r%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913425
>> 14%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=unPGfUeLwQfQjVcfKA3GmJ
>> 7FlPDtIqTnCgauok6%2Fi%2Fg%3D&reserved=0
>> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjef
>> f
>> m%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141
>> a
>> f91ab2d7cd011db47%7C1%7C0%7C638368915588090768%7CUnknown%7CTWFpbGZsb3
>> d
>> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
>> C
>> 3000%7C%7C%7C&sdata=J8RQLZPBTRSaUz96apjc%2FVAdm68kGw%2FwYLjeW0dPGXI%3
>> D
>> &reserved=0>
>>
>> /In case you don't hear from me, please call your regional number here:
>> //https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs
>> u%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913462
>> 11%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eDfbZcxA%2FZiDj8eGAmX5
>> RN4PBWOfLxeadzb6JMoWYKI%3D&reserved=0
>> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-nu
>> m
>> bers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf
>> 1
>> 257df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63836891558809470
>> 7
>> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6
>> I
>> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0zHR9%2B93B63JnnnOu49ldUc
>> m
>> xH85vxpdd4fWB0mledo%3D&reserved=0.
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908dbf
>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383725995913499
>> 03%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=d%2FNirKerr2gNFw3K7whW
>> lZ8QOD6gwS8nDyZcFKlPNJs%3D&reserved=0
>> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
>> b
>> ers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1
>> 2
>> 57df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588099387
>> %
>> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
>> k
>> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SCTt0XWCAtZTwsZSQuREvqzU5T
>> W
>> 6a5MQLrCSGC1r3f8%3D&reserved=0.>///
>>
>> /If you need assistance outside my normal working hours, please reach 
>> out to //devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of 
>> my colleagues will gladly continue working on this 
>> issue.//devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my 
>> colleagues will gladly continue working on this issue./
>>
>> ---------------------------------------------------------------------
>> -
>> --
>>
>> *From:*Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> *Sent:* Monday, November 27, 2023 2:53 PM
>> *To:* cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org 
>> <mailto:cifs-protocol at lists.samba.org>>; Interoperability 
>> Documentation Help <dochelp at microsoft.com 
>> <mailto:dochelp at microsoft.com>>
>> *Subject:* [EXTERNAL] [MS-ADTS] Procedure for setting 
>> msDS-ManagedPasswordId attribute
>>
>> Hi dochelp,
>>
>> The calculation of the msDS-ManagedPassword attribute depends upon 
>> the values of two other important attributes, namely 
>> msDS-ManagedPasswordId and msDS-ManagedPasswordPreviousId. I can't 
>> find any documentation on how these two attributes are to be set 
>> initially (on the creation of a Group Managed Service Account), nor 
>> on how and when they are subsequently to be updated.
>>
>> Are you able to give me any information on the procedure by which 
>> these attributes are assigned values? - Are they supposed to be 
>> updated periodically?
>>
>> Regards,
>> Joseph
>>

More information about the cifs-protocol mailing list