Q. How do I control a read-only domain controller's (RODC's) credential caching and password replication?
March 26, 2008
A. By default, an RODC won't cache any user or computer passwords. You can change this policy through each RODC's unique Password Replication Policy (PRP).
To change the PRP, go to the RODC's Computer Properties and access the Password Replication Policy tab. Click the Allowed RODC Password Replication option to get the Add Groups, Users and Computers dialog box. Next, select the “Allow passwords for the account to replicate to this RODC” check box, as shown below.
Certain members of core groups, such as administrators and server operators, are denied by default, and denied status will always take preference over allowed status. Only those users' designated in the Allowed RODC Password Replication Group can have their credentials stored.
A typical policy would create a group for each branch office with an RODC, and add users in that branch office. Then the administrator would allow password replication for that branch-office group.
About the Author
You May Also Like