[cifs-protocol] GetRevealSecretsPolicyForUser

Edgar Olougouna edgaro at microsoft.com
Fri Oct 19 09:07:31 MDT 2012

I am adding my colleague Tarun Chopra who will take care of this while I will be on vacation.

From: Matthieu Patou
Sent: 10/18/2012 1:06 PM
To: Edgar Olougouna; cifs-protocol at samba.org
Subject: Re: GetRevealSecretsPolicyForUser

Hello Edgar,

On 10/17/2012 10:21 AM, Edgar Olougouna wrote:
> Matthieu,
> There will be an update to MS-ADTS and I will communicate the change as soon as the draft is ready.
> However, the algorithm in MS-DRSR already covers the required processing.
> Allowed RODC Password Replication Group and Denied RODC Password Replication Group are by default added to attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup respectively during dcpromo, therefore there is no extra processing needed, following the processing rules as documented in MS-DRSR GetRevealSecretsPolicyForUser will get the right results. These attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup) are maintained by an administrator and implementations must not take a dependency on any specifics of their contents. More information relating to these attributes can be found in MS-ADTS Read-Only Domain Controller Object .
So if I read you right then it means that those groups are used only at
(rodc)dcpromo to populate the attributes that are used for checking in

Did you verify this behavior ?
This article:
seems to indicate that it's a constant check
" <javascript:void(0)>
Reviewing the accounts that are authenticated to an RODC

You should periodically review the accounts that have been authenticated
to an RODC. This information can help you plan updates that you intend
to make to the existing PRP. For example, you may want to review which
user and computer accounts have authenticated to an RODC so that you can
add those accounts to the Allowed List.

You will probably see more accounts in the *Accounts that have been
authenticated to this Read-only Domain Controller* list than will have
passwords cached. Although you may see accounts of writeable domain
controllers or members of the Domain Admins group in the list of
authenticated accounts, it does not necessarily indicate that those
accounts authenticated to the domain through the RODC. Instead, it means
that the RODC in one way or another verified the credentials of those
accounts. All default administrative accounts and domain controllers are
denied explicitly or through their membership from having their
passwords cached. If there are additional accounts that you want to make
sure are not cached, include them in the Deny list or make them members
of the Denied RODC Password Replication Group. The Deny list comprises
of the accounts that are specifically denied in the PRP from caching
their credentials on the RODC.




Matthieu Patou
Samba Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20121019/7b9c93a9/attachment.html>

More information about the cifs-protocol mailing list