Q. How do I control a read-only domain controller's (RODC's) credential caching and password replication?

A. By default, an RODC won't cache any user or computer passwords. You can change this policy through each RODC's unique Password Replication Policy (PRP).

To change the PRP, go to the RODC's Computer Properties and access the Password Replication Policy tab. Click the Allowed RODC Password Replication option to get the Add Groups, Users and Computers dialog box. Next, select the “Allow passwords for the account to replicate to this RODC” check box, as shown below.

Certain members of core groups, such as administrators and server operators, are denied by default, and denied status will always take preference over allowed status. Only those users' designated in the Allowed RODC Password Replication Group can have their credentials stored.

A typical policy would create a group for each branch office with an RODC, and add users in that branch office. Then the administrator would allow password replication for that branch-office group.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.