[cifs-protocol] [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

Vilmos Foltenyi vilmosf at microsoft.com
Sun Nov 23 22:27:31 MST 2014

[dochelp to Bcc, SR # to Subject]

Hi Andrew,

Thank you for your question. I created the case SR 114112412079949 to track this issue with the Protocol Documentation support team. An engineer from our team will contact you soon via e-mail to begin working with you.

Vilmos Foltenyi - MSFT

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Sunday, November 23, 2014 20:32
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

In MS-ADTS Server Behavior of the IDL_DRSGetMemberships Method

It has this in the psudocode:

if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =
(u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =
wSet := wSet + GetDSNameOfEnterpriseRODCsGroup() endif

I'm curious about the 'or' in the middle of the if statement.  Shoudn't it be an 'and', because you only want to put the object in the EnterpriseRODCs Group if it is both a workstation trust account, and a partial secrets account (otherwise, all workstations would be in it).


Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list