Hello,
How can I check if a user account is really replicated on a RODC ? (In most cases, we do that to ensure we can still open a session on the RODC in case of a network failure)
You can use the GUI, “DSA.MSC”, open up the “Password replication Policy” tab on the RODC object, click on “Advanced”, and check if your user is in the list. That’s a lot of clicks, here is a PowerShell version :
try {
$obj = [adsisearcher]"cn=RODC-Name"
$obj.propertiesToLoad.Add('msds-revealedlist') | Out-Null
$comp = $obj.FindOne()
}
catch {"KO - ADSISearcher"}
$comp.properties.'msds-revealedlist' | ? {$_ -like "S:10:unicodePwd:CN=SamAccountNameOfYourUser*"}
Please note the “*” after the SamAccountName of the user.
Example :
Please also note that we don’t use the “ActiveDirectory” PowerShell module, but if you have the module available, check this cmdlets : Get-ADDomainControllerPasswordReplicationPolicyUsage
Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity 2K12R2RODC -RevealedAccounts