diff --git a/Src/DSInternals.DataStore/DirectoryAgent.cs b/Src/DSInternals.DataStore/DirectoryAgent.cs index 9feee38..8193685 100644 --- a/Src/DSInternals.DataStore/DirectoryAgent.cs +++ b/Src/DSInternals.DataStore/DirectoryAgent.cs @@ -140,6 +140,7 @@ public IEnumerable GetGroupManagedServiceAccounts(Da { // Fetch all KDS root keys first. var rootKeys = new Dictionary(); + KdsRootKey latestRootKey = null; foreach (var rootKey in this.GetKdsRootKeys()) { @@ -148,6 +149,12 @@ public IEnumerable GetGroupManagedServiceAccounts(Da { // Allow the key to be found by ID rootKeys.Add(rootKey.KeyId, rootKey); + + // Check if this key is the newest found yet + if(rootKey.EffectiveTime <= effectiveTime && (latestRootKey == null || latestRootKey.CreationTime < rootKey.CreationTime)) + { + latestRootKey = rootKey; + } } } @@ -159,13 +166,23 @@ public IEnumerable GetGroupManagedServiceAccounts(Da if (gmsa.ManagedPasswordId != null) { - // Find the proper key by Guid - Guid associateRootKeyId = gmsa.ManagedPasswordId.RootKeyId; - bool keyFound = rootKeys.TryGetValue(associateRootKeyId, out var associatedRootKey); + DateTime nextPasswordChange = gmsa.PasswordLastSet.Value.AddDays(gmsa.ManagedPasswordInterval.Value); + KdsRootKey rootKeyToUse; + if (nextPasswordChange <= effectiveTime) + { + // The existing password has already expired, so generate the managed password based on the latest Root Key + rootKeyToUse = latestRootKey; + } + else + { + // Generate the managed password based on the Root Key currently associated with it + Guid associateRootKeyId = gmsa.ManagedPasswordId.RootKeyId; + rootKeys.TryGetValue(associateRootKeyId, out rootKeyToUse); + } - if (keyFound) + if (rootKeyToUse != null) { - gmsa.CalculatePassword(associatedRootKey, effectiveTime); + gmsa.CalculatePassword(rootKeyToUse, effectiveTime); } }