Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC.

For examples of how to use this command, see Examples.

Syntax

repadmin /prp <OPERATION> <RODC> [ADDITIONAL_ARGS]

Operations

The repadmin /prp command can perform the following operations:

Add
Delete
Move
View

Additional arguments are available for each operation.

Add

Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)

Syntax

repadmin /prp add <RODC> allow <PRINCIPAL>

Additional parameters

Parameter	Description
<RODC>	Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.
<PRINCIPAL>	Specifies the name of the security principal that you want to add to the Allowed List.

Delete

Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax

repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}
repadmin /prp delete <RODC> auth2 /all

Additional parameters

Parameter	Description
<RODC>	Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.
<PRINCIPAL>	Specifies the name of the security principal that you want to add to the Allowed List. Specify /all to have the operation affect all security principals.
/all	Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.

Move

Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax

repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]

Additional parameters

Parameter	Description
<RODC>	Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN.
<Group>	Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name.
/noauth2cleanup	Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared.
/users_only	Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.
/comps_only	Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

View

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Syntax

repadmin /prp view <RODC> {<List_Name>|<User>}

Additional parameters

Parameter

Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<List_Name>

Specifies all the security principals that are in the list that you want to view. The following table shows the valid list names.

List name	Description
auth2	The list of security principals that the RODC has authenticated.
reveal	The list of security principals for which the RODC has cached passwords.
allow	The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only.
deny	The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list.

<User>

Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name.

Examples

The following example lists the users whose passwords are currently cached on the domain controller named br1-rodc01:

repadmin /prp view br1-rodc01 reveal

The following command caches the password for the user account named MikeDan on the domain controller named br1-rodc1:

repadmin /prp add br1-rodc1 allow cn=MikeDan,ou=user-groups,dc=contoso,dc=com

Additional references

Command-Line Syntax Key

Repadmin

Repadmin /prp

Syntax

Operations

Add

Syntax

Additional parameters

Delete

Syntax

Additional parameters

Move

Syntax

Additional parameters

View

Syntax

Additional parameters

Examples

Additional references