<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
border:none;
padding:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
p.DSTOC1-3, li.DSTOC1-3, div.DSTOC1-3
{mso-style-name:DSTOC1-3;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:-1.45pt;
text-indent:-9.35pt;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Verdana","sans-serif";
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Matthieu<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We have updated MS-ADTS specification with 2 new groups [Allowed RODC Password Replication Group and Denied RODC Password Replication Group] in section 6.1.1.6
(Well-Known Domain-Relative Security Principals), details as follows :<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="DSTOC1-3" style="margin-left:20.15pt">6.1.1.6.16 Allowed RODC Password Replication Group<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">name: Allowed RODC Password Replication Group<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">objectClass: group<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">RID: 571<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">groupType: { GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED }<o:p></o:p></p>
<p class="DSTOC1-3" style="margin-left:20.15pt"><o:p> </o:p></p>
<p class="DSTOC1-3" style="margin-left:20.15pt">6.1.1.6.17 Denied RODC Password Replication Group<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">name: Denied RODC Password Replication Group<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">objectClass: group<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">RID: 572<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.3in">groupType: { GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED }<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Allowed RODC Password Replication Group and Denied RODC Password Replication Group are, by default, added to attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup
respectively during dcpromo; therefore, there is no extra processing needed---following the processing rules as documented in MS-DRSR section 4.1.10.5.14 and MS-ADTS section 3.1.1.4.5.32 will give the correct results.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">These attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup) are maintained by an administrator and implementations must not take a dependency on any
specifics of their contents. Also see section 6.1.1.3.2 of MS-ADTS for more information related to these attributes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kindly let us know if above information resolves your query or you require any further clarification.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Tarun Chopra.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Edgar Olougouna
<br>
<b>Sent:</b> Friday, October 19, 2012 8:08 AM<br>
<b>To:</b> mat@samba.org; cifs-protocol@samba.org; Tarun Chopra<br>
<b>Subject:</b> RE: GetRevealSecretsPolicyForUser<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Matthieu,<br>
I am adding my colleague Tarun Chopra who will take care of this while I will be on vacation.<br>
<br>
Thanks,<br>
Edgar<o:p></o:p></span></p>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:
</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Matthieu Patou</span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sent: </span>
</b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">10/18/2012 1:06 PM</span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">To: </span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Edgar Olougouna;
<a href="mailto:cifs-protocol@samba.org">cifs-protocol@samba.org</a></span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Subject: </span>
</b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Re: GetRevealSecretsPolicyForUser</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt">Hello Edgar,<br>
<br>
On 10/17/2012 10:21 AM, Edgar Olougouna wrote:<br>
> Matthieu,<br>
><br>
> There will be an update to MS-ADTS and I will communicate the change as soon as the draft is ready.<br>
> However, the algorithm in MS-DRSR already covers the required processing.<br>
> Allowed RODC Password Replication Group and Denied RODC Password Replication Group are by default added to attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup respectively during dcpromo, therefore there is no extra processing needed, following
the processing rules as documented in MS-DRSR 4.1.10.5.14 GetRevealSecretsPolicyForUser will get the right results. These attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup) are maintained by an administrator and implementations must not take a
dependency on any specifics of their contents. More information relating to these attributes can be found in 6.1.1.3.2 MS-ADTS 6.1.1.3.2 Read-Only Domain Controller Object .<br>
So if I read you right then it means that those groups are used only at <br>
(rodc)dcpromo to populate the attributes that are used for checking in <br>
MS-DRSR 4.1.10.5.14.<br>
<br>
Did you verify this behavior ?<br>
This article: <br>
<a href="http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx">http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx</a>,
<br>
seems to indicate that it's a constant check<br>
" <javascript:void(0)><br>
Reviewing the accounts that are authenticated to an RODC <br>
<javascript:void(0)><br>
------------------------------------------------------------------------<br>
<br>
You should periodically review the accounts that have been authenticated <br>
to an RODC. This information can help you plan updates that you intend <br>
to make to the existing PRP. For example, you may want to review which <br>
user and computer accounts have authenticated to an RODC so that you can <br>
add those accounts to the Allowed List.<br>
<br>
ImportantImportant<br>
You will probably see more accounts in the *Accounts that have been <br>
authenticated to this Read-only Domain Controller* list than will have <br>
passwords cached. Although you may see accounts of writeable domain <br>
controllers or members of the Domain Admins group in the list of <br>
authenticated accounts, it does not necessarily indicate that those <br>
accounts authenticated to the domain through the RODC. Instead, it means <br>
that the RODC in one way or another verified the credentials of those <br>
accounts. All default administrative accounts and domain controllers are <br>
denied explicitly or through their membership from having their <br>
passwords cached. If there are additional accounts that you want to make <br>
sure are not cached, include them in the Deny list or make them members <br>
of the Denied RODC Password Replication Group. The Deny list comprises <br>
of the accounts that are specifically denied in the PRP from caching <br>
their credentials on the RODC.<br>
<br>
"<br>
<br>
Thanks.<br>
<br>
Matthieu<br>
<br>
-- <br>
Matthieu Patou<br>
Samba Team<br>
<a href="http://samba.org">http://samba.org</a><br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</body>
</html>