[cifs-protocol] [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy
obaidf at microsoft.com
Fri Apr 6 17:48:05 UTC 2018
I'll help you with this issue and will be in touch as soon as I have an answer.
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com
From: Obaid Farooqi
Sent: Friday, April 6, 2018 12:47 PM
To: "'Tim Beale'" <timbeale at catalyst.net.nz>
Cc: "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy
We have created a case; 118040517948537, to track your inquiry and an Escalation Engineer will contact you to assist further.
Tarun Chopra | Sr. Escalation Engineer
Open Specifications Support Team
Email tarun.chopra at microsoft.com
Monday-Friday 9:00a-6:00p Pacific Timezone
From: Tim Beale <timbeale at catalyst.net.nz>
Sent: Thursday, April 5, 2018 2:00 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy
I'm looking into the behaviour of msDS-ResultantPSO and found a discrepancy between the specification and the actual behaviour.
In MS-ADTS, section 126.96.36.199.5.36 msDS-ResultantPSO , it says the
If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then there is no value in this attribute.
I tried adding a PSO object and applying it to the krbtgt user on a Windows 2012R2 VM. Based on the spec, I would expect no msDS-ResultantPSO to be returned for the krbtgt user. However, I do see one returned, e.g.
# record 1
msDS-ResultantPSO: CN=dummy-PSO,CN=Password Settings Container,CN=System,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=
You can see the RID in the objectSid is 502, which is DOMAIN_USER_RID_KRBTGT.
Could you please clarify which is incorrect - the specification or the Windows behaviour? Or have I misunderstood something?
More information about the cifs-protocol