Q. Can I sync the Directory Services Restore Mode (DSRM) password with the password of another account on a one-time basis?

A. It's possible to synchronize the password used for DSRM with the following command. Note that you should replace with the domain account whose password should be synced.

ntdsutil "set dsrm password" "sync from domain account " q q

Note that this is a one-time action and if you change the password for the domain account, you need to run the above command again. Also, this command must be run on each domain controller (DC), because the DSRM password is local to each DC.

Below is an example execution.

C:\Users\administrator.SAVILLTECH>ntdsutil "set dsrm password" "sync
from domain account savilltech\Administrator" q q
ntdsutil: set dsrm password
Reset DSRM Administrator Password: sync from domain account savilltech
Password has been synchronized successfully.

Reset DSRM Administrator Password: q
ntdsutil: q

Note this only works on Windows Server 2008 and above domain controllers and this hotfix must be applied to pre-SP2 Windows 2008 servers. Also, a reboot is required.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.