[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Hongwei Sun hongweis at microsoft.com
Wed Sep 8 15:44:25 MDT 2010 

Andrew,

   I duplicated the behavior using the information you provided.  Thanks!   We confirmed that the observed behavior is expected due to the following logic:
     
   If the user account is a RODC machine account, in which UserAccountControl flag on the account object has USER_WORKSTATION_TRUST_ACCOUNT | USER_PARTIAL_SECRETS_ACCOUNT set,   the RID DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS(498) will be automatically added to SID list for group membership.

   We are working on finding the appropriate way to document the behavior in the future release of the protocol documents. 

Thanks!

Hongwei


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 31, 2010 3:51 PM
To: Hongwei Sun
Cc: tridge at samba.org; cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote:
> Tridge/Andrew,
> 
>    I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC.  It seems that I cannot duplicate what you have observed.   I have a RODC joined to a domain that has two more RWDCs.  I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain.  They don't include RID 498.  
> 
> 	Dn: (RootDSE)
> 	tokenGroups (16): 
> 	S-1-5-21-3071076805-1052773752-2226054901-500; 
> 	S-1-5-21-3071076805-1052773752-2226054901-513; 
> 	S-1-1-0; 
> 	S-1-5-32-544; 
> 	S-1-5-32-545; 
> 	S-1-5-32-574; 
> 	S-1-5-32-554; 
> 	S-1-5-2; 
> 	S-1-5-11; 
> 	S-1-5-15; 
> 	S-1-5-21-3071076805-1052773752-2226054901-512; 
> 	S-1-5-21-3071076805-1052773752-2226054901-520; 
> 	S-1-5-21-3071076805-1052773752-2226054901-519; 
> 	S-1-5-21-3071076805-1052773752-2226054901-518; 
> 	S-1-5-21-3071076805-1052773752-2226054901-1103; 
> 	S-1-5-21-3071076805-1052773752-2226054901-572;

You have connected as the wrong user.  We joined a Windows RODC to the domain, then changed it's password, and ran ldbsearch *as* the RODC, using the password we set on it's account.  You have run the search as administrator, and natrually returned the tokenGroups for administrator. 

> 	-----------
> 	***Searching...
> 	ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 0, "(objectclass=*)", attrList,  0, &msg)
> 	Getting 1 entries:
> 	Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
> 	tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; 
> S-1-5-21-3071076805-1052773752-2226054901-521;

When you connect as the RODC, you should see these SIDs, and the extra ENTERPRISE_RODCs group in the rootDSE tokenGroups.

I'm sorry I didn't respond earlier - I simply didn't see your mail!

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list