<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40" dir="ltr"><head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Light";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.xcontentpasted0
{mso-style-name:x_contentpasted0;}
span.xapple-converted-space
{mso-style-name:x_apple-converted-space;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" style="text-align:left; direction:ltr;"><div>Thanks so much Jeff. I have no more questions, but will get back to you for more detail if we get asked to implement this, so you can close this question.</div><div><br></div><div>More as a comment to others on the list, I'm not planning on working on this specifically in the short term, but we have a contract though work to implement Group Managed Service Accounts in Samba, as I understand it this would build nicely on top of that.</div><div><br></div><div>Andrew Bartlett</div><div><br></div><div>On Wed, 2023-05-31 at 18:39 +0000, Jeff McCashland (He/him) wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<div class="WordSection1">
<p class="MsoNormal">Hi Andrew,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have some responses to your questions: <o:p></o:p></p>
<p class="MsoNormal">>>I would like to understand how Encrypted password storage support is expressed in terms of protocol operations - is this encrypted (additionally) over LDAP, or does this just mean that internally these are encrypted but decrypted for
presentation on LDAP. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Windows LAPS encrypted passwords are first encrypted by the client machine as described here in the MS-ADA2
<a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/b6ea7b78-64da-48d3-87cb-2cff378e4597">
ms-LAPS-EncryptedPassword topic</a>:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#548235">EncryptedPassword (variable):
</span></b><span style="color:#548235">variable-length data containing an encrypted buffer.
<span style="background:yellow;mso-highlight:yellow">The buffer is encrypted using a group key obtained via [MS-GKDI].</span> The decrypted data contains a JSON string that uses the format specified in
<b>ms-LAPS-Password</b> (section <a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/b2e01af2-3ff5-4c64-8ef3-d0d8a545945b">
<span style="color:#548235">2.64</span></a>).<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">No “new” protocol operations have been added as part of the Windows LAPS feature – it’s just standard MS-GKDI plus standard LDAP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>>Does being encrypted prevent the value being searched for in an LDAP expression?
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If you mean searching the password attributes by cleartext, if so yes being encrypted does prevent that. A client who is authorized to read the attributes could still attempt binary-style-searching over the value (not very useful). There
is a small non-encrypted header at the beginning of the ms-LAPS-EncryptedPassword buffer that contains a PasswordUpdateTimestamp field.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>>(I ask as Samba's encrypted password stroage does this - but we limit this to secret attributes like the built-in passwords). How are these schema elements marked so as to trigger this server behaviour?
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Windows LAPS encrypts the password before it leaves the device (ie, before the encrypted password is stored in AD using standard LDAP). There are no new server behaviors and no new schema element markings.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>>Finally, I wasn't asking about the DSRM account management feature, as that is a client feature (the AD DC acts, as I read it, as a protocol client and learns how to store a DSRM passwrod just like it would an Admin password). “<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That’s basically correct - however from an informative explanation POV, be aware that the behavior is identical whether the client storing a Windows LAPS password is a DC or a domain-joined client – there’s no difference other than the
specific attributes that are used to store the password (ie, ms-LAPS-EncryptedPassword vs ms-LAPS-Encrypted<span style="background:yellow;mso-highlight:yellow">DSRM</span>Password).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>>The table [at the link referenced below] describes how "Encrypted password storage supported (for domain-joined clients)" needs a 2016 domain functional level,<o:p></o:p></p>
<p class="MsoNormal">>>and so what I was trying to learn was which aspect of the 2016 level is being used by this feature (so we know what to implement).”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As long as Samba supports 1) 2016 DFL as it has been previously specified, and 2) MS-GKDI, then you should expect that Samba will interoperate just fine with the new Windows LAPS feature.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Note: a manual schema extension step is required, documented
<a href="https://learn.microsoft.com/windows-server/identity/laps/laps-scenarios-windows-server-active-directory#update-the-windows-server-active-directory-schema">
here</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I hope that helps!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him) </span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">|
Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy"> </span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here: </span><span style="color:#2F5496"><a href="http://support.microsoft.com/globalenglish"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> |
Extension 1138300</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <abartlet@samba.org> <br>
<b>Sent:</b> Sunday, May 28, 2023 9:51 PM<br>
<b>To:</b> Jeff McCashland (He/him) <jeffm@microsoft.com><br>
<b>Cc:</b> cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft Support <supportmail@microsoft.com><br>
<b>Subject:</b> [EXTERNAL] Re: [cifs-protocol] Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">The key phrase is I guess:<b> Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption</b>, and I'm trying to understand the protocol behaviours that change in FL2016 for that.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The table describes how "Encrypted password storage supported (for domain-joined clients)" needs a 2016 domain functional level, and so what I was trying to learn was which aspect of the 2016 level is being used by this feature (so we know
what to implement). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I would like to understand how Encrypted password storage support is expressed in terms of protocol operations - is this encrypted (additionally) over LDAP, or does this just mean that internally these are encrypted but decrypted for presentation
on LDAP. Does being encrypted prevent the value being searched for in an LDAP expression?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">(I ask as Samba's encrypted password stroage does this - but we limit this to secret attributes like the built-in passwords)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">How are these schema elements marked so as to trigger this server behaviour?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Finally, I wasn't asking about the DSRM account management feature, as that is a client feature (the AD DC acts, as I read it, as a protocol client and learns how to store a DSRM passwrod just like it would an Admin password). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I hope this clarifies my question.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Fri, 2023-05-26 at 18:13 +0000, Jeff McCashland (He/him) via cifs-protocol wrote:<o:p></o:p></p>
</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<p class="MsoNormal">Hi Andrew,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Below you said that this link mentions new requirements for WS2016 for LAPS:<o:p></o:p></p>
<p class="MsoNormal"><a href="https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory">Get started with Windows LAPS and Windows Server Active Directory | Microsoft Learn</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">However, I didn’t find that mention when I read the article. There is a discussion of 2016 Domain Functional Level, but it also says:
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">“<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#161616;background:white">Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption. However if you're still running any WS2016 DCs, those
<span style="background:yellow;mso-highlight:yellow">WS2016 DCs don't support Windows LAPS</span> and therefore can't use the DSRM account management feature.</span>”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Did I miss something? Could you specify which text in the article suggests the requirements for WS2016? There is a requirement for a minimum of 2016 Domain Functional Level. Did you have a question on that?
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him) </span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">|
Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy"> </span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here: </span><span style="color:#2F5496"><a href="http://support.microsoft.com/globalenglish"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> |
Extension 1138300</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeff McCashland (He/him) <<a href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a>>
<br>
<b>Sent:</b> Thursday, May 25, 2023 12:53 PM<br>
<b>To:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>
<b>Subject:</b> Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[DocHelp on BCC, Updated Subject with new SR ID]<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Andrew,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for letting me know your second question was not answered by the published docs. We have created SR 2305250040009499 to track this issue.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I will research the question and let you know what I find. <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him) </span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">|
Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy"> </span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here: </span><span style="color:#2F5496"><a href="http://support.microsoft.com/globalenglish"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> |
Extension 1138300</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>>
<br>
<b>Sent:</b> Wednesday, May 24, 2023 2:45 PM<br>
<b>To:</b> Jeff McCashland (He/him) <<a href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>
<b>Subject:</b> Re: [cifs-protocol] [EXTERNAL] Local Administrator Password Solution (new and legacy) - TrackingID#2305110040008264<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Thanks. That is useful.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Are you still looking into the new 2016 requirements part of the question?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Fri, 2023-05-12 at 23:05 +0000, Jeff McCashland (He/him) via cifs-protocol wrote:<o:p></o:p></p>
</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<div>
<p class="MsoNormal"><span style="color:black">Hi Andrew,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">[MS-ADA2] has just been republished with updates related to the new Windows LAPS. Please review the new information and see if it answers some of your questions. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e">[MS-ADA2]: Active Directory Schema Attributes M | Microsoft Learn</a></span><o:p></o:p></p>
</div>
<div>
<div style="margin-top:12.0pt;margin-bottom:12.0pt;min-width: 424px" id="LPBorder_GTaHR0cHM6Ly9sZWFybi5taWNyb3NvZnQuY29tL2VuLXVzL29wZW5zcGVjcy93aW5kb3dzX3Byb3RvY29scy9tcy1hZGEyL2UyMGViYzRlLTUyODUtNDBiYS1iM2JkLWZmY2I4MWMyNzgzZQ..">
<table class="MsoNormalTable" border="1" cellspacing="4" cellpadding="0" width="100%" style="width:100.0%;border:solid #C8C8C8 1.0pt">
<tbody>
<tr>
<td valign="top" style="border:none;padding:9.0pt 27.0pt 9.0pt 9.0pt">
<div style="margin-right:9.0pt;overflow:hidden" id="LPImageContainer959984">
<p class="MsoNormal"><a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e" target="_blank"><span style="text-decoration:none"><img border="0" width="160" height="160" style="width:1.6666in;height:1.6666in" id="_x0000_i1028" src="https://learn.microsoft.com/en-us/media/logos/logo-ms-social.png"></span></a><o:p></o:p></p>
</div>
</td>
<td width="100%" valign="top" style="width:100.0%;border:none;padding:9.0pt 27.0pt 9.0pt 9.0pt">
<div style="margin-right:6.0pt;margin-bottom:9.0pt" id="LPTitle959984">
<p class="MsoNormal"><span style="font-size:16.0pt;font-family:"Segoe UI Light",sans-serif"><a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e" target="_blank"><span style="text-decoration:none">[MS-ADA2]:
Active Directory Schema Attributes M</span></a><o:p></o:p></span></p>
</div>
<div style="margin-right:6.0pt;margin-bottom:9.0pt;max-height: 100px;overflow:hidden" id="LPDescription959984">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#666666">Specifies the Active Directory Schema Attributes M, which contains a partial list of the objects that exist in the Active Directory schema<o:p></o:p></span></p>
</div>
<div id="LPMetadata959984">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#A6A6A6">learn.microsoft.com<o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div id="Signature">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)<span class="apple-converted-space"> </span></span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">|
Senior Escalation Engineer<span class="apple-converted-space"><i> </i></span><i>| Microsoft</i></span></b><span class="apple-converted-space"><b><span style="font-family:"Arial",sans-serif;color:navy"> </span></b></span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol
Open Specifications Team</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:<span class="apple-converted-space"> </span></span><span style="color:#2F5496"><a href="http://support.microsoft.com/globalenglish"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span class="apple-converted-space"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> </span></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">|
Extension 1138300</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> Jeff McCashland (He/him) <<a href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a>><br>
<b>Sent:</b> Thursday, May 11, 2023 9:58 AM<br>
<b>To:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>
<b>Subject:</b> Re: [EXTERNAL] Local Administrator Password Solution (new and legacy) - TrackingID#2305110040008264</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">[DocHelp to BCC, support on CC, SR ID on Subject]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Hi Andrew,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="xcontentpasted0"><span style="color:black">Thank you for your questions. We have created SR 2305110040008264 to track this issue. One of our engineers will respond soon. </span></span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div id="x_Signature">
<div>
<div>
<p class="xmsonormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)<span class="xapple-converted-space"> </span></span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">|
Senior Escalation Engineer<span class="xapple-converted-space"><i> </i></span><i>| Microsoft</i></span></b><span class="xapple-converted-space"><b><span style="font-family:"Arial",sans-serif;color:navy"> </span></b></span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol
Open Specifications Team</span></b><o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</span><o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:<span class="xapple-converted-space"> </span></span><span style="color:#2F5496"><a href="http://support.microsoft.com/globalenglish"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span class="xapple-converted-space"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> </span></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">|
Extension 1138300</span><o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="98%" align="center">
</div>
<div id="x_divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br>
<b>Sent:</b> Wednesday, May 10, 2023 10:41 PM<br>
<b>To:</b> Interoperability Documentation Help <<a href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br>
<b>Subject:</b> [EXTERNAL] Local Administrator Password Solution (new and legacy)</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Kia Ora DocHelp,<br>
<br>
(again) Per my phone call with Obaid and Tom last week.<br>
<br>
We were talking about LAPS, the Local Administrator Password Solution.<br>
<br>
I have two questions, firstly on getting the schema for LAPS and LAPS<br>
legacy:<br>
<br>
Is the schema added by Update-LapsADSchema published anywhere, ideally<br>
under same licence as <br>
<a href="https://github.com/MicrosoftDocs/windowsserverdocs">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindowsserverdocs&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HGoaYn6NbEC2pO4Gxnr%2BiqDHRkkPCA9CJmMf8AA8B20%3D&reserved=0</a>
?<br>
<br>
Likewise, it would be helpful to still support legacy LAPS in Samba.<br>
<a href="https://www.microsoft.com/en-us/download/details.aspx?id=46899">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EUtO8w8QJcuCu1JfGAotqz4nh938ppmvl1laVpbMm1k%3D&reserved=0</a><br>
<br>
This link below shows the schema in another user's repo (not Samba).<br>
<br>
Would it be possible to get or be pointed at a public and licensed copy<br>
of this schema so Samba can support this 'out of the box'?<br>
<br>
<a href="https://github.com/oz9un/LAPS-for-SAMBA/blob/master/scripts/laps-install">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foz9un%2FLAPS-for-SAMBA%2Fblob%2Fmaster%2Fscripts%2Flaps-install&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jqSSZnYv1uTR3yIoHCKOS%2Bwej%2BL3qwdl6VQNdIeyqzk%3D&reserved=0</a><br>
<br>
Secondly, there are requirements on Windows 2016 for new LAPS:<br>
<br>
<a href="https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Flaps%2Flaps-scenarios-windows-server-active-directory&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N%2FAdAeYW9T%2B%2B75B49fPzYiysF6%2BfpqPPdavNGLh5UmI%3D&reserved=0</a>
mentions requirements on Windows server 2016.<br>
<br>
<br>
Can you clarify which protocol behaviours are needed for this, so I can<br>
investigate this, as nothing like this is mentioned at <br>
<a href="https://learn.microsoft.com/en-us/windows-server/identity/whats-new-active-directory-domain-services?source=recommendations">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fwhats-new-active-directory-domain-services%3Fsource%3Drecommendations&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CKB7xpad%2Bwdo7pPRrXXO4U4mmSH0V46rXOdt2jPfaLE%3D&reserved=0</a><br>
and <br>
<a href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Factive-directory-functional-levels&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=67N14qhDnsZ%2Bpqpdfw6xLhZcClRuQQ30jugrOqHBu9Y%3D&reserved=0</a><br>
(I realise Windows is a big product and these are not meant to be<br>
comprehensive). <br>
<br>
<br>
Thanks,<br>
<br>
Andrew Bartlett<o:p></o:p></p>
<pre>_______________________________________________</pre><o:p></o:p>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>cifs-protocol mailing list</pre><o:p></o:p>
<p class="MsoNormal"><u><span style="color:blue"><a href="mailto:cifs-protocol@lists.samba.org"><span style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></p>
<u><span style="color:blue"><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre><o:p></o:p></a></span></u>
<p class="MsoNormal"><u><span style="color:blue"><span class="MsoHyperlink"><o:p><span style="text-decoration:none"> </span></o:p></span></span></u></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u><span style="color:blue"><a href="https://lists.samba.org/mailman/listinfo/cifs-protocol"><o:p></o:p></a></span></u></p>
<u><span style="color:blue"><a href="https://lists.samba.org/mailman/listinfo/cifs-protocol"><pre>https://lists.samba.org/mailman/listinfo/cifs-protocol</pre><span style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u>
<p class="MsoNormal"><u><span style="color:blue"><span class="MsoHyperlink"><o:p><span style="text-decoration:none"> </span></o:p></span></span></u></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<pre>-- </pre><o:p></o:p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Andrew Bartlett (he/him) <a href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://samba.org/">
https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Lead <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:13.0pt">Catalyst.Net Ltd</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support: <a href="https://catalyst.net.nz/services/samba">
https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst IT - Expert Open Source Solutions<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<pre>_______________________________________________</pre><o:p></o:p>
<pre>cifs-protocol mailing list</pre><o:p></o:p>
<p class="MsoNormal"><a href="mailto:cifs-protocol@lists.samba.org"><o:p></o:p></a></p>
<u><span style="color:blue"><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre><span style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u>
<p class="MsoNormal"><o:p> </o:p></p>
<o:p><pre> </pre></o:p>
<p class="MsoNormal"><a href="https://lists.samba.org/mailman/listinfo/cifs-protocol"><o:p></o:p></a></p>
<u><span style="color:blue"><a href="https://lists.samba.org/mailman/listinfo/cifs-protocol"><pre>https://lists.samba.org/mailman/listinfo/cifs-protocol</pre><span style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u>
<p class="MsoNormal"><o:p> </o:p></p>
<o:p><pre> </pre></o:p>
</blockquote>
<div>
<pre>-- </pre><o:p></o:p>
<div>
<p class="MsoNormal">Andrew Bartlett (he/him) <a href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://samba.org/">
https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Lead <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst.Net Ltd<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support: <a href="https://catalyst.net.nz/services/samba">
https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst IT - Expert Open Source Solutions<o:p></o:p></p>
</div>
</div>
</div>
</blockquote><div><span><pre>-- <br></pre><div style="width: 71ch;">Andrew Bartlett (he/him) <a href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a></div><div style="width: 71ch;" data-evo-signature-plain-text-mode="">Samba Team Member (since 2001) <a href="https://samba.org">https://samba.org</a></div><div style="width: 71ch;" data-evo-signature-plain-text-mode="">Samba Team Lead <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a></div><div style="width: 71ch;" data-evo-signature-plain-text-mode="">Catalyst.Net Ltd</div><div style="width: 71ch;" data-evo-signature-plain-text-mode=""><br></div><div style="width: 71ch;" data-evo-signature-plain-text-mode="">Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company</div><div style="width: 71ch;" data-evo-signature-plain-text-mode=""><br></div><div style="width: 71ch;" data-evo-signature-plain-text-mode="">Samba Development and Support: <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a></div><div style="width: 71ch;" data-evo-signature-plain-text-mode=""><br></div><div style="width: 71ch;" data-evo-signature-plain-text-mode="">Catalyst IT - Expert Open Source Solutions</div><div style="width: 71ch;"></div></span></div></body></html>