Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC.
For examples of how to use this command, see Examples.
Syntax
repadmin /prp <OPERATION> <RODC> [ADDITIONAL_ARGS]
Operations
The repadmin /prp command can perform the following operations:
Additional arguments are available for each operation.
Add
Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)
Syntax
repadmin /prp add <RODC> allow <PRINCIPAL>
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. |
<PRINCIPAL> |
Specifies the name of the security principal that you want to add to the Allowed List. |
Delete
Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)
Syntax
repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all} repadmin /prp delete <RODC> auth2 /all
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. |
<PRINCIPAL> |
Specifies the name of the security principal that you want to add to the Allowed List. Specify /all to have the operation affect all security principals. |
/all |
Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute. |
Move
Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)
Syntax
repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN. |
<Group> |
Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name. |
/noauth2cleanup |
Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared. |
/users_only |
Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute. |
/comps_only |
Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute. |
View
Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.
Syntax
repadmin /prp view <RODC> {<List_Name>|<User>}
Additional parameters
Parameter | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
<RODC> |
Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. |
||||||||||
<List_Name> |
Specifies all the security principals that are in the list that you want to view. The following table shows the valid list names.
|
||||||||||
<User> |
Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name. |
Examples
The following example lists the users whose passwords are currently cached on the domain controller named br1-rodc01:
repadmin /prp view br1-rodc01 reveal
The following command caches the password for the user account named MikeDan on the domain controller named br1-rodc1:
repadmin /prp add br1-rodc1 allow cn=MikeDan,ou=user-groups,dc=contoso,dc=com