| Author | Messages | |
gabriel/tfi
Posts:425
 | | 01/03/2009 4:20 PM |
| I would add that The Denied RODC Password Replication Group is just one of
the groups by default listed in the msDS-NeverRevealGroup multivalued
attribute of the RODC computer account object.
(Note: the denied list of the RODC Password Replication Policy is
determined by that attribute).
The other groups are:
- Administrators
- Account Operators
- Server Operators
- Backup Operators
-
Ciao Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: venerdì 2 gennaio 2009 22.13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
Here is the round about answer to your second question. 
dn:CN=Denied RODC Password Replication Group,CN=Users,DC=trouble,DC=loc
>member: CN=Read-only Domain Controllers,CN=Users,DC=trouble,DC=loc
>member: CN=Group Policy Creator Owners,CN=Users,DC=trouble,DC=loc
>member: CN=Domain Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Cert Publishers,CN=Users,DC=trouble,DC=loc
>member: CN=Enterprise Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Schema Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Domain Controllers,CN=Users,DC=trouble,DC=loc
>member: CN=krbtgt,CN=Users,DC=trouble,DC=loc
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Friday, January 02, 2009 3:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
We are planning to deploy RODCs to the regional offices. We have a
relatively painless way to automatically populate the groups that allow
"caching" the creds with the user accounts for each RODC. Computer
accounts present more of a challenge. One of the thoughts is to just put
domain computers group into the "Allowed RODC Password Replication" Group.
What are the specific risks we would be incurring in that scenario?
Is there a scenario where another DC (RO or RW) would auth to a particular
RODC and in doing so cause to have its password replicated to an RODC?
How did other people that deployed RODCs dealt with this issue.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
_____
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents of
this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are deemed
to have accepted these risks if you communicate with us by e-mail.
| | | |
|
|