Directory replication rights - why?

  • 314 Views
  • Last Post 17 September 2019
Ravi.Sabharanjak posted this 12 September 2019

Is any one familiar with the impact of removing these groups from directory replication rights, OR why they are added there in the first place?
My concern is any one who is added to these groups can replicate the password hashes off and can walk away with them...
RTCHSDomainServices  (This is Lync / Skype for Business)

RTCHSUniversalServices (This is Lync / Skype for Business) 

Exchange Trusted Subsystem (Exchange)

Exchange Trusted Subsystem (Exchange) 

Exchange Trusted Subsystem(Exchange) 

Organization Management(Exchange) 
thanks,-Ravi

Order By: Standard | Newest | Votes
bdesmond posted this 12 September 2019

I’m not aware of any of those workloads requiring Replicating Directory Changes All.

 

Thanks,

Brian



 

 

show

michael1 posted this 12 September 2019

And those workloads do not set that permission (at least they don’t in any of my test environments, which are “completely standard”).

 

RTCHSUniversalServices sets “Replicating Directory Changes” – notice no “All”.

 

Exchange Servers sets “Replication synchronization”.

 

Now, DirSync (Azure AD Connect) sets both “Replicating Directory Changes” and “Replicating Directory Changes All”.

 

show

Ravi.Sabharanjak posted this 16 September 2019

https://docs.microsoft.com/en-us/skypeforbusiness/schema-reference/active-directory-schema-extensions-classes-and-attributes/changes-made-by-domain-preparation seems to indicate that  RTCHSUniversal-Services is granted this by SFB setup.  Am I interpreting this correctly? any idea what will break if removed?


show

michael1 posted this 16 September 2019

DS-Replication-Get-Changes maps to “Replicating Directory Changes”. NOT “Replicating Directory Changes All”.

 

https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes

and

https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all

 

If you remove DS-Replication-Get-Changes, you’ll break SfB.

 

show

Ravi.Sabharanjak posted this 17 September 2019

Resending as this bounced - 
https://docs.microsoft.com/en-us/skypeforbusiness/schema-reference/active-directory-schema-extensions-classes-and-attributes/changes-made-by-domain-preparation seems to indicate that  RTCHSUniversal-Services is granted this by SFB setup.  Am I interpreting this correctly? any idea what will break if removed?


show

michael1 posted this 17 September 2019

I responded yesterday. Attached.

 

show

Close