Prepopulating passwords

  • Article

Applies To: Windows Server 2008

Credential Cashing

Credential caching is the storage of user or computer credentials. By default, a Windows Server 2008 read-only domain controller (RODC) does not store user credentials or computer credentials except for its own computer account and a special krbtgt account for that RODC. You must explicitly allow any other credentials to be cached on that RODC.

Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines whether an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. Subsequent logons by the same account can then be performed more efficiently.

Password Replication Policy Allowed and Denied Lists

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These new built-in groups are the Domain RODC Password Replication Allowed Group and the Domain RODC Password Replication Denied Group. These groups help implement a default Allowed List and a Denied List for the RODC Password Replication Policy.

By default, the Domain RODC Password Replication Denied Group contains the following members:

  • Enterprise Domain Controllers

  • Enterprise Read-Only Domain Controllers

  • Group Policy Creator Owners

  • Domain Admins

  • Cert Publishers

  • Enterprise Admins

  • Schema Admins

  • Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

  • Domain RODC Password Replication Denied Group

  • Account Operators

  • Server Operators

  • Backup Operators

  • Administrators

Expiration of cached passwords

After an RODC caches a password for a user, the password remains in the Active Directory database until one of the following conditions occurs:

  • The user changes the password. In this case, the password is not purged from the cache, but it is no longer valid.

  • The Password Replication Policy for the RODC in question changes so that the user's password should no longer be cached. In addition, the user tries to access a noncacheable resource by using a ticket-granting ticket (TGT) that the RODC issues.

Clearing cached passwords

There is no mechanism in Windows Server 2008 to clear the cached password for a given user on an RODC. In the event that an RODC is compromised, reset the passwords that are currently cached, and then rebuild the RODC.