A question about RODC (read-only domain controller) and password sync


  • Can someone please help me with the following question please.

    if I have a RODC and a AD Group whose members are allowed to sync/cache their password on a RODC

    So Fred is in the group Sales and Sales are allowed to have their password synced to the RODC via the password replication policy.

    Fred authenticates against the RODC after which his password in synced to the RODC

    one week later Fred is removed from the Sales group as he is now in Marketing for example (change of role), there is no particular rule for marketing e.g. neighter allow or deny


    Will Freds password hash be removed from the RODC or will it simply remain then next time Fred changes his password it will nit be synced (as not out of scope) so the old password hash would on the RODC would be useless (to an attacjer for example) as not the correct one?

    Basically do RODC do any garbage collection for password hashes that are cached but no longer in scope as explained above.

    Thanks all


    יום שישי 18 מאי 2018 10:01

כל התגובות