[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

tridge at samba.org tridge at samba.org
Tue Aug 17 18:30:08 MDT 2010

Hi Hongwei,

 >    You mentioned that all the documentation talks about RODCs being
 >    a member of the enterprise read only domain controller group,
 >    which has a RID of 498.  What part of the document do you refer
 >    to ?

See for example [MS-DRSR] which has this:

     *   1. Caller is an RODC. An RODC will always be a member of
     *      "Enterprise Read-Only Domain Controllers" (RID 498)

 >   Should I take the question as why tokenGroups of rootDSE has 498
 >   but the tokenGroups of RODC account doesn't have it ?

that is one way to look at it. 

We can see via tokenGroups that RODCs are a member of both the group
with RID 498 and the group with RID 521.

Normally a user becomes a member of a group in one of three ways.

 1) via it being the primaryGroupID of the user

 2) via a member attribute on a group (or equivalently via a memberOf
    back link)

 3) via some "special handling" that adds things like anonymous or
    world or other special groups

We suspect that RODCs being a member of 498 is due to something in the
"special handling" category, but we'd like to know what the nature of
that special handling is. 

For example, is it something as simple as "when constructing the token
for a user, always add RID 498 if they have RID 521 in their token
from the same domain". Where things may get tricky is in the
inter-domain (eg. forest) handling. We'd like to make sure we get this
right, or at least understand how we're getting it wrong :-)

Cheers, Tridge

More information about the cifs-protocol mailing list