[cifs-protocol] MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy
timbeale at catalyst.net.nz
Thu Apr 5 20:59:56 UTC 2018
I'm looking into the behaviour of msDS-ResultantPSO and found a
discrepancy between the specification and the actual behaviour.
In MS-ADTS, section 18.104.22.168.5.36 msDS-ResultantPSO , it says the
If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then
there is no value in this attribute.
I tried adding a PSO object and applying it to the krbtgt user on a
Windows 2012R2 VM. Based on the spec, I would expect no
msDS-ResultantPSO to be returned for the krbtgt user. However, I do see
one returned, e.g.
# record 1
msDS-ResultantPSO: CN=dummy-PSO,CN=Password Settings
You can see the RID in the objectSid is 502, which is
Could you please clarify which is incorrect - the specification or the
Windows behaviour? Or have I misunderstood something?
More information about the cifs-protocol