none
A question about RODC (read-only domain controller) and password sync

    Question

  • Can someone please help me with the following question please.

    if I have a RODC and a AD Group whose members are allowed to sync/cache their password on a RODC

    So Fred is in the group Sales and Sales are allowed to have their password synced to the RODC via the password replication policy.

    Fred authenticates against the RODC after which his password in synced to the RODC

    one week later Fred is removed from the Sales group as he is now in Marketing for example (change of role), there is no particular rule for marketing e.g. neighter allow or deny

    Question

    Will Freds password hash be removed from the RODC or will it simply remain then next time Fred changes his password it will nit be synced (as not out of scope) so the old password hash would on the RODC would be useless (to an attacjer for example) as not the correct one?

    Basically do RODC do any garbage collection for password hashes that are cached but no longer in scope as explained above.

    Thanks all

    CAshtones

    Friday, May 18, 2018 10:01 AM

All replies