Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC.

For examples of how to use this command, see Examples.

Syntax

repadmin /prp <OPERATION> <RODC> [ADDITIONAL_ARGS]

Operations

The repadmin /prp command can perform the following operations:

Additional arguments are available for each operation.

Add

Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)

Syntax

repadmin /prp add <RODC> allow <PRINCIPAL>

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to add to the Allowed List.

Delete

Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax

repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}
repadmin /prp delete <RODC> auth2 /all

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to add to the Allowed List. Specify /all to have the operation affect all security principals.

/all

Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.

Move

Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax

repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN.

<Group>

Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name.

/noauth2cleanup

Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared.

/users_only

Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

/comps_only

Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

View

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Syntax

repadmin /prp view <RODC> {<List_Name>|<User>}

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<List_Name>

Specifies all the security principals that are in the list that you want to view. The following table shows the valid list names.

List name Description

auth2

The list of security principals that the RODC has authenticated.

reveal

The list of security principals for which the RODC has cached passwords.

allow

The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only.

deny

The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list.

<User>

Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name.

Examples

The following example lists the users whose passwords are currently cached on the domain controller named br1-rodc01:

repadmin /prp view br1-rodc01 reveal

The following command caches the password for the user account named MikeDan on the domain controller named br1-rodc1:

repadmin /prp add br1-rodc1 allow cn=MikeDan,ou=user-groups,dc=contoso,dc=com

Additional references