Hello Tim We have created a case; 118040517948537, to track your inquiry and an Escalation Engineer will contact you to assist further.
Best Regards, Tarun Chopra | Sr. Escalation Engineer Open Specifications Support Team Work +1-425-705-5042 Email tarun.cho...@microsoft.com Monday-Friday 9:00a-6:00p Pacific Timezone -----Original Message----- From: Tim Beale <timbe...@catalyst.net.nz> Sent: Thursday, April 5, 2018 2:00 PM To: Interoperability Documentation Help <doch...@microsoft.com>; cifs-protocol@lists.samba.org Subject: MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy Hi, I'm looking into the behaviour of msDS-ResultantPSO and found a discrepancy between the specification and the actual behaviour. In MS-ADTS, section 3.1.1.4.5.36 msDS-ResultantPSO [1], it says the following: If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then there is no value in this attribute. I tried adding a PSO object and applying it to the krbtgt user on a Windows 2012R2 VM. Based on the spec, I would expect no msDS-ResultantPSO to be returned for the krbtgt user. However, I do see one returned, e.g. # record 1 dn: CN=krbtgt,CN=Users,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=CO,DC=NZ objectSid: S-1-5-21-886655096-618523297-2770022155-502 msDS-ResultantPSO: CN=dummy-PSO,CN=Password Settings Container,CN=System,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=CO,DC=NZ You can see the RID in the objectSid is 502, which is DOMAIN_USER_RID_KRBTGT. Could you please clarify which is incorrect - the specification or the Windows behaviour? Or have I misunderstood something? Thanks, Tim [1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc223866.aspx&data=02%7C01%7Cdochelp%40windows.microsoft.com%7Ce172420a92714a01130f08d59b383228%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636585588018722990&sdata=KdE0SNnF0Xy3GBjnp8UKzXt4GB9xQ2j0fFKuUZaD9JI%3D&reserved=0 _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol