4.1.10.5.14 GetRevealSecretsPolicyForUser
-
procedure GetRevealSecretsPolicyForUser( rodcObj: DSName, userObj: DSName): RevealSecretsPolicy
Informative summary of behavior: The GetRevealSecretsPolicyForUser procedure returns the policy that indicates whether the server that holds the secrets of the user object userObj is allowed to send those secrets to the RODC identified by the RODC object rodcObj. If the policy explicitly prohibits the RODC from receiving the secrets, RevealSecretsDenied is returned. If the policy explicitly allows the RODC to receive the secrets, RevealSecretsAllow is returned. In all other cases, RevealSecretsNoPolicy is returned.
-
neverRevealObj: DSName revealObj: DSName /* An RODC can always cache secrets of its own account */ if rodcObj = userObj /* see section 5 DSNAME for DSName equality */ then return RevealSecretsAllow endif /* An RODC can always cache secrets of its own * secondary Kerberos TGT account but not other * secondary Kerberos TGT accounts. * See [MS-KILE] */ if rodcObj!msDS-KrbTgtLink = userObj then return RevealSecretsAllow endif krbtgts = select o from children DefaultNC() where o!msDS-KrbTgtLink ≠ null foreach krbtgt in krtgts do if userObj = krbtg!msDS-KrbTgtLink then return RevealSecretsDeny endif endfor /* Never reveal secrets of inter-domain * trust accounts */ if userObj!UserAccountControl ∩ {ADS_UF_INTERDOMAIN_TRUST_ACCOUNT} ≠ {} then return RevealSecretsDeny endif /* Never reveal secrets of users reachable from * rodcObj!msDS-NeverRevealGroup */ foreach neverRevealObj in rodcObj!msDS-NeverRevealGroup if IsUserIncluded( userObj!objectSid, neverRevealObj!objectSid) then return RevealSecretsDeny endif endfor /* Only reveal secrets of users reachable from * rodcObj!msDS-RevealOnDemandGroup */ foreach revealObj in rodcObj!msDS-RevealOnDemandGroup if IsUserIncluded( userObj!objectSid, revealObj!objectSid) then return RevealSecretsAllow endif endfor return RevealSecretsNoPolicy