Q. How do I make the Directory Services Restore Mode (DSRM) administrator password work on my Windows 2008 domain controllers (DCs) if the Active Directory Directory Service (AD DS) is stopped and no other DCs are available?

A. Using the DsrmAdminLogonBehavior registry value, you can allow the DSRM administrator account to log on to controller DC when its AD DS is stopped. This would be useful if you've stopped the local AD DS service, no other DCs are available, and you logged off or your password-protected screen saver activated.

The registry value is located at HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior. Its possible values are:

  • 0 (default): You can only use the DSRM administrator account if the DC is started in DSRM.
  • 1: You can use the DSRM administrator account to log on if the local AD DS service is stopped.
  • 2: You can always use the DSRM administrator account (This setting isn't recommended, because password policies don't apply to the DSRM administrator account).
Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.