[cifs-protocol] GetRevealSecretsPolicyForUser

Matthieu Patou mat at samba.org
Thu Oct 18 12:06:47 MDT 2012

Hello Edgar,

On 10/17/2012 10:21 AM, Edgar Olougouna wrote:
> Matthieu,
> There will be an update to MS-ADTS and I will communicate the change as soon as the draft is ready.
> However, the algorithm in MS-DRSR already covers the required processing.
> Allowed RODC Password Replication Group and Denied RODC Password Replication Group are by default added to attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup respectively during dcpromo, therefore there is no extra processing needed, following the processing rules as documented in MS-DRSR GetRevealSecretsPolicyForUser will get the right results. These attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup) are maintained by an administrator and implementations must not take a dependency on any specifics of their contents. More information relating to these attributes can be found in MS-ADTS Read-Only Domain Controller Object .
So if I read you right then it means that those groups are used only at 
(rodc)dcpromo to populate the attributes that are used for checking in 

Did you verify this behavior ?
This article: 
seems to indicate that it's a constant check
" <javascript:void(0)>
Reviewing the accounts that are authenticated to an RODC 

You should periodically review the accounts that have been authenticated 
to an RODC. This information can help you plan updates that you intend 
to make to the existing PRP. For example, you may want to review which 
user and computer accounts have authenticated to an RODC so that you can 
add those accounts to the Allowed List.

You will probably see more accounts in the *Accounts that have been 
authenticated to this Read-only Domain Controller* list than will have 
passwords cached. Although you may see accounts of writeable domain 
controllers or members of the Domain Admins group in the list of 
authenticated accounts, it does not necessarily indicate that those 
accounts authenticated to the domain through the RODC. Instead, it means 
that the RODC in one way or another verified the credentials of those 
accounts. All default administrative accounts and domain controllers are 
denied explicitly or through their membership from having their 
passwords cached. If there are additional accounts that you want to make 
sure are not cached, include them in the Deny list or make them members 
of the Denied RODC Password Replication Group. The Deny list comprises 
of the accounts that are specifically denied in the PRP from caching 
their credentials on the RODC.




Matthieu Patou
Samba Team

More information about the cifs-protocol mailing list