Administer Passwords and Password Replication Policy for Read-Only Domain Controllers with Repadmin.exe

Updated: March 15, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic describes the following commands that were added to Repadmin.exe in Windows Server 2008 to manage passwords and Password Replication Policy (PRP) for read-only domain controllers (RODCs). RODCs are available in Windows Server 2008 and Windows Server 2008 R2.

Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role or the Active Directory Lightweight Directory Services (AD LDS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

In Windows Server 2008 and Windows Server 2008 R2, you must run command-line-based tools from an elevated command prompt. To open an elevated Command Prompt using the credentials of a Domain Admin, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

  • repadmin /prp

  • repadmin /rodcpwdrepl

For more information about managing passwords and the PRP for RODCs, see Administering the Password Replication Policy (https://go.microsoft.com/fwlink/?LinkId=185778).

repadmin /prp

You can use this command to view or modify the PRP for an RODC. The PRP determines which account passwords are allowed to be cached on an RODC and which account are denied from being cached.

Syntax

Repadmin /prp [operation] RODC [additional arguments]

Operations

The repadmin /prp command can perform the following operations:

  • Add

  • Delete

  • Move

  • View

Additional arguments are available for each operation.

Add

Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)

Note

You cannot use repadmin /prp commands to add an account to the Deny List or remove an account from the Deny List. To configure the Deny List, you can use the Active Directory Users and Computers snap-in or you can create a script. For example, if you want to deny members of the group RODC2Admins from caching passwords on RODC2, which is located in the Branch2 organizational unit (OU) of hq.cpandl.com, you can use the following script:

'The following items specify to Clear, Update, Append, or Delete a property of an Active Directory object
Const ADS_PROPERTY_CLEAR = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4

Const ATT = "msDS-NeverRevealGroup"
'The setting for ATT determines which list will be modified
'msDS-AuthenticatedToAccountlist is for the authenticated to or Auth2 list
'msDS-RevealedList is for the password revealed or cached list
'msDS-RevealOnDemandGroup is for the allowed to authenticate list
'msDS-NeverRevealGroup is for the denied from authenticating list

'PRPObj defines the object that needs to be modified in the PRP list
PRPObj = "CN=RODC2Admins,OU=Branch2,DC=hq,DC=cpandl,DC=com"

'RODCObj defines the RODC for which the PRP should be modified
RODCObj = "LDAP://CN=RODC2,OU=Domain Controllers,DC=hq,DC=cpandl,DC=com"

'Sets the object to modify based on the LDAP path set in RODCObj
Set objComputer = GetObject(RODCObj)

'Implements the change, which, depending on the word after ADS_PROPERTY_, is a CLEAR, UPDATE, APPEND, or DELETE operation
objComputer.PutEx ADS_PROPERTY_APPEND, ATT, Array(PRPObj)
objComputer.SetInfo

'Confirms that the modification has taken place (this is optional)
wscript.echo "Modified list attributes for object " & PRPObj 

'Closes the script
wscript.quit(0)
Syntax
repadmin /prp add <RODC> allow <PRINCIPAL>
Additional parameters
Parameter Definition

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to add to the Allowed List.

Delete

Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax
repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}
repadmin /prp delete <RODC> auth2 /all
Additional parameters
Parameter Definition

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to delete from the Allowed List. Specify /all to have the operation delete all security principals.

/all

Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.

Move

Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax
repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]
Additional parameters
Parameter Definition

<RODC>

Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN.

<Group>

Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name.

/noauth2cleanup

Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared.

/users_only

Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

/comps_only

Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

View

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Syntax
repadmin /prp view <RODC> {<List_Name>|<User>}
Additional parameters
Parameter Definition

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<List_Name>

Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

  • auth2: The list of security principals that the RODC has authenticated.

  • reveal: The list of security principals for which the RODC has cached passwords.

  • allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only.

  • deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list.

<User>

Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name.

Example 1: View the PRP of an RODC

The following examples show how to view the accounts that are configured in the PRP that applies to an RODC with the host name RODC2 in the domain hq.cpandl.com.

To view the accounts that are allowed to have their passwords cached on the RODC, use the following command:

repadmin /prp view rodc2.hq.cpandl.com allow

To view the accounts that are denied from having their passwords cached on the RODC (also known as the Deny list), use the following command:

repadmin /prp view rodc2.hq.cpandl.com deny

Example 2: View accounts that an RODC has authenticated

To review the list of authenticated accounts for RODC2 in the hq.cpandl.com domain, use the following command:

repadmin /prp view rodc2.hq.cpandl.com auth2

Example 3: Clear the list of authenticated accounts

Note that this command does not actually remove account passwords from an RODC. It only deletes the list of those accounts.

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.

To clear the list of authenticated accounts for RODC2, use the following command:

repadmin /prp delete rodc2 auth2 /all

Example 4: Configure the PRP

To add an account named RODC2users from a top-level OU named West in the domain hq.cpandl.com to the Allowed List (or to remove it from the Allowed List) for an RODC computer with a hostname of RODC2, use one of the following commands:

Note

To find the Lightweight Directory Access Protocol (LDAP) distinguished name of a directory object from the command line, you can use the dsquery command. For example, if you want to find the distinguished name of a group that has “RODC” as part of its name from a computer in the local domain, you can run the command dsquery group –name RODC. The asterisks around “RODC” indicate that any number of characters can come before or after the letters RODC. If instead you want to find the distinguished name of a computer or user, substitute either the word computer or the word user (respectively) for the word group in the command. For more information about dsquery command syntax, see Dsquery (https://go.microsoft.com/fwlink/?LinkId=120196).

To allow the account RODC2users to be cached on RODC2, use the following command:

repadmin /prp add rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com

To remove the account from the Allowed List, use the following command:

repadmin /prp delete rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com

Example 5: Move accounts that an RODC has authenticated to the Allowed RODC Password Replication Policy Group

To move the current list of only the users from RODC2 to the Allowed List, use the following command:

Repadmin /prp move rodc2 /users_only

Note

You cannot selectively move entries from the Auth2 list to the Allowed List by using the repadmin /prp move command. However, when you have created an appropriate group, you can use Active Directory Users and Computers, Dsadd, and similar tools to add users or computers to that group.

Example 6: View accounts with cached passwords on an RODC

To see the accounts with cached passwords on an RODC with the host name RODC2 in the domain contoso.com, use the following command:

repadmin /prp view rodc2.contoso.com reveal

Important

If you have a large number of accounts cached, the repadmin /prp view <hostname> reveal command might return only a subset of the accounts. For more information, see Repadmin /PRP might return only a subset of accounts (https://go.microsoft.com/fwlink/?LinkId=185775).

repadmin /rodcpwdrepl

Triggers replication of passwords for the specified users from the source (Hub site domain controllers) to one or more RODCs.

For each destination RODC, the ability to cache the user’s password is evaluated before the operation succeeds. In other words, the specified user must be in the Allowed RODC Password Replication Group and not be a member of the Denied RODC Password Replication Group for the destination RODC. You can specify passwords for multiple users, but if a user’s password is not allowed to be cached for a destination RODC, the request for that specific user and destination RODC will fail.

Syntax

Repadmin /rodcpwdrepl <hostnameRODC> <hostnameWDC> <User1LdapPath> <Computer1LdapPath> <UserNLdapPath> <ComputerNLdapPath>

Parameters Definitions

<hostnameRODC>

The host name or FQDN of the target RODC’s password cache that you want to prepopulate. If you are running the command from outside the target domain, use the FQDN.

<hostnameWDC>

The host name or FQDN of the writable domain controller that is the replication partner of the RODC. If you are running the command from outside the target domain, use the FQDN.

<User1LdapPath>

The LDAP distinguished name of a user account password that you want to prepopulate.

<Computer1LdapPath>

The LDAP distinguished name of a computer account whose password that you want to populate. You must add the computer accounts of the users or they will not be able to log on.

<UserNLdapPath>

The LDAP distinguished name of another user account password that you want to populate.

<ComputerNLdapPath>

The LDAP distinguished name of another computer whose account password you want to prepopulate. You must add the computer accounts of the users or they will not be able to log on.

Example

The following command prepopulates the password cache for an RODC named RODC2 in the domain hq.cpandl.com, using the writeable domain controller named WS2008A to transfer the passwords for a user account for Mike Danseglio (MikeDan) and his computer named MDVista1. The MikeDan account is in a top-level OU named B1 Users, and the MDVista1 account is in the default Computers container.

repadmin /rodcpwdrepl rodc2.hq.cpandl.com ws2008a.hq.cpandl.com “cn=mikedan,ou=b1 users,dc=hq,dc=cpandl,DC=com” cn=mdvista1,cn=Computers,dc=hq,dc=cpandl,dc=com