3.1.1.4.5.34 msDS-RevealedList

The msDS-RevealedList attribute exists on AD DS (starting with Windows Server 2008 operating system) but not on AD LDS.

The msDS-RevealedList attribute exists only on the computer object of an RODC. The value of msDS-RevealedList is a multivalued DN-String. The string portion of each value is the lDAPDisplayName of a secret attribute, and the DN portion of each value names an object. Each value represents the presence of a value for the named attribute on the named object on the RODC; in other words, the value has been "revealed" to the RODC.

The msDS-RevealedList attribute is constructed from the msDS-RevealedUsers attribute as follows.

Let O be the object from which the msDS-RevealedList attribute is being read.

Let RESULT be a set of DN-String, initially empty.

For each V (a DN-Binary) in O!msDS-RevealedUsers do the following:

• Let USER be the object with DN V.object_DN.

• Let P (a PROPERTY_META_DATA, see [MS-DRSR] section 4.1.10.2.23) equal V.binary_value.

• Let SCH equal SchemaObj(P.attrType) ([MS-DRSR] section 5.183).

• Let RV be a DN-String with RV.string_value equal SCH!lDAPDisplayName and RV.object_DN equal V.object_DN.

• Let A be SCH!lDAPDisplayName.

• If AttributeStampCompare(P.propMetadataExt, AttrStamp(USER, P.attrType)) = 0, set RESULT = RESULT + {RV }. (See [MS-DRSR] section 4.1.10.3.5 for procedure AttributeStampCompare, and [MS-DRSR] section 5.13 for procedure AttrStamp.)

Return the set RESULT (if empty, the msDS-RevealedList attribute is not present).