Securing Accounts After an RODC Is Stolen
Updated: April 10, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC.
Membership in the Domain Admins group or the Enterprise Admins group, or equivalent, is the minimum required to complete these procedures. As a security best practice, consider using Run as to perform this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in.
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.
In the console tree, expand the domain object, and then select the Domain Controllers organizational unit (OU).
In the details pane, right-click the RODC computer account, and then click Delete.
When the Active Directory Domain Services dialog box appears, click Yes to confirm the deletion.
In the Deleting Domain Controller dialog box (shown below) select the appropriate options to indicate whether you want to reset all user account passwords or all computer account passwords and to specify the location (file system path) where you want to export a list of accounts whose current passwords were cached on the RODC. You can clear or select any of the check boxes at this point. By default, the Reset all passwords for user accounts that were cached on this Read-only Domain Controller and the Export the list of accounts that were cached on this Read-only Domain Controller to this file: check boxes are selected, as shown in the following illustration. If you want to also reset the passwords for the computer accounts that were cached on the RODC, you must select the Reset all passwords for computer accounts that were cached on this Read-only Domain Controller check box. Although computer account passwords are reset every 30 days by default, you can choose to reset those account passwords immediately, which may reduce the chance that the computer accounts that were cached on the RODC can be used by an attacker in an attempt to compromise the domain before the accounts are reset automatically. When you are ready to proceed, click Delete.
Note If you reset the computer account passwords, you will have to rejoin the computer to the domain. If you automatically reset the computer account passwords, users will not be able to log on to the domain until they can contact an account administrator to have their passwords reset to a mutually-agreed-on password.
The Delete Domain Controller then asks you to confirm your deletion request. Verify that the request is accurate, and then click OK to continue with the deletion, as shown in the following illustration.
If the domain controller was also a global catalog server, a message appears, asking whether you want to continue. To proceed, click Yes. The computer account is removed, and the directory metadata is then cleaned up.
To remove the RODC computer account and reset the passwords of the accounts that are cached on the RODC, use the ntdstuil, net user, and netdom commands.
The process for removing an RODC account using ntdsutil is described in RODC Removal and Reinstallation.
To reset user account passwords, you can use the command net user <username> <password>. For example, to set the password to Tr@skw0rlN for an account named Bob in the hq.cpandl.com domain, open an elevated command prompt, type
net user bob Tr@skw0rlN, and then press ENTER.
To reset computer account passwords, you can use the following command:
netdom resetpwd /s:<computername> /ud:<domain>\<adminuser> /pd:*. For example, to reset a computer account named Vista1 in the domain hq.cpandl.com, using an account named Dadmin that is a member of the Domain Admins group, type
netdom resetpwd /s:Vista1 /ud:hq.cpandl.com\Dadmin /pd:*, and then press ENTER. When you are prompted, type the password for the Dadmin account, and then press ENTER.
For information about creating a script to reset user account passwords, see the following resources: