Enumerate the RODC FAS (Filtered Attribute List)

The FAS is the Read Only Domain Controller (RODC) Filtered Attribute Set,
it contains the attributes in the AD Schema that are never replicated to RODCs,
because they contain sensitive or confidential data (password related or other secrets).
Technically this is implemented by setting the 10th bit on the SearchFlags attribute of the schema attribute,
and also setting the 7th bit to make it ‘confidential’.
This means members of ‘Authenticated Users’ can’t read the contents,
this is to have additional security, in case your RODC was robbed, it can’t be used to read the info from other RW or RODCs.
In the examples below the bits practically mean that you need to use 512 (0X200) for searching for RODC Filtered Attributes,
128 (0X80) ) for confidential attributes, and 640 (0x280) for the combination, which is the Microsoft recommended approach,
for adding confidential attributes to the FAS.
But if it is set on attribute level in the Schema definition of attribues,
I guess it’s not a list in the sense you can view it as a list (array) of some kind in AD.
But I was wondering, if I want to view quickly which attributes are in the FAS in a certain Forest, how could I do that ?
I found following article on how to search for certain bitwise set values in Active Directory:
Exactly what I was looking for!
I started manually using LDP to try to get the FAS Attributes.
Using a standard search in the Schema partition, I got it to work pretty quickly:
The search returned following list on this environment:


ldap_search_s(ld, "CN=Schema,CN=Configuration,DC=lab,DC=net", 1, "(SearchFlags:1.2.840.113556.1.4.803:=512)", attrList, 0, &msg)

Getting 6 entries:

Dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-FVE-KeyPackage;

name: ms-FVE-KeyPackage;

objectClass (2): top; attributeSchema;

Dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-FVE-RecoveryPassword;

name: ms-FVE-RecoveryPassword;

objectClass (2): top; attributeSchema;

Dn: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-PKI-AccountCredentials;

name: ms-PKI-AccountCredentials;

objectClass (2): top; attributeSchema;

Dn: CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-PKI-DPAPIMasterKeys;

name: ms-PKI-DPAPIMasterKeys;

objectClass (2): top; attributeSchema;

Dn: CN=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-PKI-RoamingTimeStamp;

name: ms-PKI-RoamingTimeStamp;

objectClass (2): top; attributeSchema;

Dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-TPM-OwnerInformation;

name: ms-TPM-OwnerInformation;

objectClass (2): top; attributeSchema;


Ok, so far so good,
but of course my preference would be to have this Powershell-ized,
so it is easy to use for automation (for reporting or somekind of automatic checking).
I wanted to used the AD PowerShell Module in Powershell 2.0 (Windows 7 and W2K8 R2 only at this time),
combined with the Active Directory Web Service (available for Windows 2003 and up at this time!).
I use the Get-ADObject Cmdlet in the example below, to get the same information as I got using LDP above:
Get-ADObject -LDAPFilter "(&(ObjectClass=attributeSchema)(SearchFlags:1.2.840.113556.1.4.803:=512))"
-SearchBase ‘cn=Schema,cn=Configuration,dc=sandbox,dc=net’ -server  -SearchScope Subtree | fl  *
DistinguishedName : CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-FVE-RecoveryPassword
ObjectClass       : attributeSchema
ObjectGUID        : 6d27488e-eab9-4d40-b475-053c44b2cbc3
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-FVE-KeyPackage
ObjectClass       : attributeSchema
ObjectGUID        : dbf86f5a-55fa-477a-aaac-f6702d5f7416
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-TPM-OwnerInformation
ObjectClass       : attributeSchema
ObjectGUID        : 558234a0-6a87-427f-9ba1-218a669f1951
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-PKI-RoamingTimeStamp
ObjectClass       : attributeSchema
ObjectGUID        : 69c0b65e-97f7-4c8f-95f8-a93436873cbb
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-PKI-DPAPIMasterKeys
ObjectClass       : attributeSchema
ObjectGUID        : b4dbff5e-3271-4503-8cf3-f008543cc5f3
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-PKI-AccountCredentials
ObjectClass       : attributeSchema
ObjectGUID        : a8cba1e4-34f2-41da-968b-68cc8066073c
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
So now I got a command to easily extract the RODC Filtered Attribute List (FAS) from Active Directory,
mission accomplished, on to the next one!

One response to “Enumerate the RODC FAS (Filtered Attribute List)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s