3.1.1.4.5.32 msDS-isUserCachableAtRodc

The msDS-IsUserCachableAtRodc attribute exists on AD DS but not on AD LDS.

This attribute indicates whether a specified RODC is permitted by administrator policy to cache the secret attributes of a specified security principal. The DN of the security principal is specified using the LDAP Control LDAP_SERVER_DN_INPUT_OID. The DN specified is either an RFC 2253–style DN or one of the alternate DN formats specified in section 3.1.1.3.1.2.4.

Let TO be the object on which msDS-IsUserCachableAtRodc is being read. If TO is not an nTDSDSA, computer, or server object, then TO!msDS-IsUserCachableAtRodc is not present.

• If TO is a computer object:

  • If TO!userAccountControl does not have the ADS_UF_PARTIAL_SECRETS_ACCOUNT bit set, TO!msDS-IsUserCachableAtRodc is not present.

  • If TO!userAccountControl has the ADS_UF_PARTIAL_SECRETS_ACCOUNT bit set, the value of TO!msDS-IsUserCachableAtRodc is calculated as follows:

    • Let D be the DN of the user principal specified using LDAP Control LDAP_SERVER_DN_INPUT_OID. If the DN of a security principal is not explicitly specified, D is the DN of the current requester.

    • TO!msDS-IsUserCachableAtRodc = GetRevealSecretsPolicyForUser(TO!distinguishedName, D) (procedure GetRevealSecretsPolicyForUser is defined in [MS-DRSR] section 4.1.10.5.14).

• If TO is a server object:

  • Let TC be the computer object named by TO!serverReference. Apply the previous rule for the "TO is a computer object" case, substituting TC for TO.

• If TO is an nTDSDSA object:

  • Let TS be the server object that is the parent of TO. Apply the previous rule for the "TO is a server object" case, substituting TS for TO.