{"id":276,"date":"2014-07-27T15:17:21","date_gmt":"2014-07-27T19:17:21","guid":{"rendered":"http:\/\/adsecurity.org\/?p=276"},"modified":"2014-09-16T21:59:12","modified_gmt":"2014-09-17T01:59:12","slug":"rodc-trick-remove-a-users-password-from-a-rodc-without-forcing-the-user-to-change-her-password","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=276","title":{"rendered":"RODC Trick: Remove a User\u2019s Password from a RODC without forcing the user to change her password"},"content":{"rendered":"

TechNet (RODC FAQ<\/a>) states:<\/p>\n

How can you clear a password that is cached on an RODC?<\/strong><\/p>\n

There is no mechanism to erase passwords after they are cached on an RODC.<\/strong> If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it\u2014or the new password is prepopulated on the RODC\u2014and if the PRP has not been changed.<\/p>\n

In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.<\/p><\/blockquote>\n

I disagree.
\nThere is a way to do this. It may not be the officially \u201csupported method\u201d, but there definitely is a way to remove a user\u2019s password from a RODC.<\/p>\n

Why would you want to do this? Say that an executive travels to a field site and an admin adds her account to the RODC Password Allow group. This means the executive\u2019s password is cached on the RODC at that site upon successful logon. You realize that the RODC has stored the executive\u2019s password (oops!) and you have the same security concerns about the site that led you to only deploy a RODC there. You want to wipe the password from the RODC, but don\u2019t want the executive to have to change her password. What to do?<\/p>\n

Check the RODC computer object and see that the executive (Jane Executive in this example) shows up in the list of security principals with their passwords stored on the RODC (msDS-RevealedList).<\/p>\n

The LDAP Modify Operation \u201cRODCPurgeAccount<\/a>\u201d causes the RODC to NULL the cached secrets of a specified security principal (User or Computer).<\/p>\n

Here\u2019s a (likely unsupported) way to do it.<\/p>\n

Open LDP on a writable DC and connect to the RODC on port 389 (LDAP) or 636 (LDAPS). Bind to the server (ensure you have Domain Admin credentials). Select Modify (operation) from the drop down and set the following:<\/p>\n

DN: [blank]
\nEdit Entry Attribute: RODCPurgeAccount
\nValues: CN=Jane Executive,OU=Executives,DC=metcorp,DC=org [Account DN]
\nClick Replace
\nClick Enter
\nClick Run.<\/p>\n

You should see the Modify is Successful.<\/p>\n

Check the RODC computer object and see that the executive (Jane Executive in this example) is NOT in the list of security principals with their passwords stored on the RODC.<\/p>\n

Security concern: the executive\u2019s password was stored on the RODC during some period of time which means it was committed to the AD database (in memory & on disk). The correct way to ensure the executive\u2019s password is not available is to have her change it (when WAS the last time she changed her password?) since this will invalidate any cached passwords floating around the network.<\/p>\n","protected":false},"excerpt":{"rendered":"

TechNet (RODC FAQ) states: How can you clear a password that is cached on an RODC? There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, … <\/p>\n

Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[75,105,106,107,104,108],"class_list":["post-276","post","type-post","status-publish","format-standard","hentry","category-technical-reference","tag-active-directory","tag-ldap-modify-operation","tag-read-only-domain-controller","tag-replication","tag-rodc","tag-rodcpurgeaccount","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=276"}],"version-history":[{"count":1,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/276\/revisions"}],"predecessor-version":[{"id":277,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/276\/revisions\/277"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}