Repadmin /prp

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC.

For examples of how to use this command, see Examples.

Syntax

repadmin /prp <OPERATION> <RODC> [ADDITIONAL_ARGS]

Operations

The repadmin /prp command can perform the following operations:

  • Add

  • Delete

  • Move

  • View

Additional arguments are available for each operation.

Add

Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)

Note

You cannot use repadmin /prp commands to add an account to the Deny List or remove an account from the Deny List. To configure the Deny List, you can use the Active Directory Users and Computers snap-in or you can create a script. For example, if you want to deny members of the group RODC2Admins from caching passwords on RODC2, which is located in the Branch2 organizational unit (OU) of hq.cpandl.com, you can use the following script:

'The following items specify to Clear, Update, Append, or Delete a property of an Active Directory object
Const ADS_PROPERTY_CLEAR = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4

Const ATT = "msDS-NeverRevealGroup"
'The setting for ATT determines which list will be modified
'msDS-AuthenticatedToAccountlist is for the authenticated to or Auth2 list
'msDS-RevealedList is for the password revealed or cached list
'msDS-RevealOnDemandGroup is for the allowed to authenticate list
'msDS-NeverRevealGroup is for the denied from authenticating list

'PRPObj defines the object that needs to be modified in the PRP list
PRPObj = "CN=RODC2Admins,OU=Branch2,DC=hq,DC=cpandl,DC=com"

'RODCObj defines the RODC for which the PRP should be modified
RODCObj = "LDAP://CN=RODC2,OU=Domain Controllers,DC=hq,DC=cpandl,DC=com"

'Sets the object to modify based on the LDAP path set in RODCObj
Set objComputer = GetObject(RODCObj)

'Implements the change, which depending on the word after ADS_PROPERTY_ is a CLEAR, UPDATE, APPEND, or DELETE operation
objComputer.PutEx ADS_PROPERTY_APPEND, ATT, Array(PRPObj)
objComputer.SetInfo

'Confirms that the modification has taken place (this is optional)
wscript.echo "Modified list attributes for object " & PRPObj 

'Closes the script
wscript.quit(0)

Syntax

repadmin /prp add <RODC> allow <PRINCIPAL>

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to add to the Allowed List.

Delete

Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax

repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}
repadmin /prp delete <RODC> auth2 /all

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to delete from the Allowed List. Specify /all to have the operation delete all security principals.

/all

Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.

Move

Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntax

repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN.

<Group>

Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name.

/noauth2cleanup

Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared.

/users_only

Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

/comps_only

Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

View

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Syntax

repadmin /prp view <RODC> {<List_Name>|<User>}

Additional parameters

Parameter Description

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<List_Name>

Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

  • auth2: The list of security principals that the RODC has authenticated.

  • reveal: The list of security principals for which the RODC has cached passwords.

  • allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only.

  • deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list.

<User>

Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name.

Examples

The following example lists the users whose passwords are currently cached on the domain controller named br1-rodc01:

repadmin /prp view br1-rodc01 reveal

The following command caches the password for the user account named MikeDan on the domain controller named br1-rodc1:

repadmin /prp add br1-rodc1 allow cn=MikeDan,ou=user-groups,dc=contoso,dc=com

Additional references

Command-Line Syntax Key

Repadmin