Hi,
We have a headoffice site (2 RWDC's) with multiple branch offices (each have one RODC). Sites and Services is correct. We have about 1000 user/computer objects
We have an issue with users from different sites appearing to be authenticating against RODC's not in their own site. Looking at the properties of the RODC Computer Account / PRP / Advanced / Policy Usage Tab / selecting "Accounts that have been authenticated to this RODC", there are standard users and computers from all over the network.
This is how I have configured my RODC PRP:
- Created a security group and added each user and computer to this group, then added group to "allow" list of the RODC's PRP
- Made sure the generic 'Allowed RODC Password Replication GRoup' is empty (as this spans all RODC's and I want site control)
- Checking under the Resultant Policy tab that the user or computer's from other sites is (implicit) denied.
Under Policy usage, the "Accounts whose passwords are stored on this RODC" is actually correct and reflects the members of the above security group.
IS this in fact a problem? - why would the accounts from other sites have actually touched the RODC not in their site. Authentication should only go from the Workstation -> site RODC -> RWDC -> back to same site RODC (cache or not depending on group access (ACL)) -> workstation
Thanks in advance
