[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Hongwei Sun hongweis at microsoft.com
Wed Sep 8 15:44:25 MDT 2010


   I duplicated the behavior using the information you provided.  Thanks!   We confirmed that the observed behavior is expected due to the following logic:
   If the user account is a RODC machine account, in which UserAccountControl flag on the account object has USER_WORKSTATION_TRUST_ACCOUNT | USER_PARTIAL_SECRETS_ACCOUNT set,   the RID DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS(498) will be automatically added to SID list for group membership.

   We are working on finding the appropriate way to document the behavior in the future release of the protocol documents. 



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 31, 2010 3:51 PM
To: Hongwei Sun
Cc: tridge at samba.org; cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote:
> Tridge/Andrew,
>    I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC.  It seems that I cannot duplicate what you have observed.   I have a RODC joined to a domain that has two more RWDCs.  I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain.  They don't include RID 498.  
> 	Dn: (RootDSE)
> 	tokenGroups (16): 
> 	S-1-5-21-3071076805-1052773752-2226054901-500; 
> 	S-1-5-21-3071076805-1052773752-2226054901-513; 
> 	S-1-1-0; 
> 	S-1-5-32-544; 
> 	S-1-5-32-545; 
> 	S-1-5-32-574; 
> 	S-1-5-32-554; 
> 	S-1-5-2; 
> 	S-1-5-11; 
> 	S-1-5-15; 
> 	S-1-5-21-3071076805-1052773752-2226054901-512; 
> 	S-1-5-21-3071076805-1052773752-2226054901-520; 
> 	S-1-5-21-3071076805-1052773752-2226054901-519; 
> 	S-1-5-21-3071076805-1052773752-2226054901-518; 
> 	S-1-5-21-3071076805-1052773752-2226054901-1103; 
> 	S-1-5-21-3071076805-1052773752-2226054901-572;

You have connected as the wrong user.  We joined a Windows RODC to the domain, then changed it's password, and ran ldbsearch *as* the RODC, using the password we set on it's account.  You have run the search as administrator, and natrually returned the tokenGroups for administrator. 

> 	-----------
> 	***Searching...
> 	ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 0, "(objectclass=*)", attrList,  0, &msg)
> 	Getting 1 entries:
> 	Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
> 	tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; 
> S-1-5-21-3071076805-1052773752-2226054901-521;

When you connect as the RODC, you should see these SIDs, and the extra ENTERPRISE_RODCs group in the rootDSE tokenGroups.

I'm sorry I didn't respond earlier - I simply didn't see your mail!

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list