Repadmin /prp
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC.
For examples of how to use this command, see Examples.
Syntax
repadmin /prp <OPERATION> <RODC> [ADDITIONAL_ARGS]
Operations
The repadmin /prp command can perform the following operations:
Add
Delete
Move
View
Additional arguments are available for each operation.
Add
Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)
Note
You cannot use repadmin /prp commands to add an account to the Deny List or remove an account from the Deny List. To configure the Deny List, you can use the Active Directory Users and Computers snap-in or you can create a script. For example, if you want to deny members of the group RODC2Admins from caching passwords on RODC2, which is located in the Branch2 organizational unit (OU) of hq.cpandl.com, you can use the following script:
'The following items specify to Clear, Update, Append, or Delete a property of an Active Directory object
Const ADS_PROPERTY_CLEAR = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4
Const ATT = "msDS-NeverRevealGroup"
'The setting for ATT determines which list will be modified
'msDS-AuthenticatedToAccountlist is for the authenticated to or Auth2 list
'msDS-RevealedList is for the password revealed or cached list
'msDS-RevealOnDemandGroup is for the allowed to authenticate list
'msDS-NeverRevealGroup is for the denied from authenticating list
'PRPObj defines the object that needs to be modified in the PRP list
PRPObj = "CN=RODC2Admins,OU=Branch2,DC=hq,DC=cpandl,DC=com"
'RODCObj defines the RODC for which the PRP should be modified
RODCObj = "LDAP://CN=RODC2,OU=Domain Controllers,DC=hq,DC=cpandl,DC=com"
'Sets the object to modify based on the LDAP path set in RODCObj
Set objComputer = GetObject(RODCObj)
'Implements the change, which depending on the word after ADS_PROPERTY_ is a CLEAR, UPDATE, APPEND, or DELETE operation
objComputer.PutEx ADS_PROPERTY_APPEND, ATT, Array(PRPObj)
objComputer.SetInfo
'Confirms that the modification has taken place (this is optional)
wscript.echo "Modified list attributes for object " & PRPObj
'Closes the script
wscript.quit(0)
Syntax
repadmin /prp add <RODC> allow <PRINCIPAL>
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. |
<PRINCIPAL> |
Specifies the name of the security principal that you want to add to the Allowed List. |
Delete
Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)
Syntax
repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}
repadmin /prp delete <RODC> auth2 /all
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. |
<PRINCIPAL> |
Specifies the name of the security principal that you want to delete from the Allowed List. Specify /all to have the operation delete all security principals. |
/all |
Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute. |
Move
Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)
Syntax
repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN. |
<Group> |
Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name. |
/noauth2cleanup |
Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared. |
/users_only |
Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute. |
/comps_only |
Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute. |
View
Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.
Syntax
repadmin /prp view <RODC> {<List_Name>|<User>}
Additional parameters
Parameter | Description |
---|---|
<RODC> |
Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. |
<List_Name> |
Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:
|
<User> |
Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name. |
Examples
The following example lists the users whose passwords are currently cached on the domain controller named br1-rodc01:
repadmin /prp view br1-rodc01 reveal
The following command caches the password for the user account named MikeDan on the domain controller named br1-rodc1:
repadmin /prp add br1-rodc1 allow cn=MikeDan,ou=user-groups,dc=contoso,dc=com