Check password replication on a RODC

Hello,

How can I check if a user account is really replicated on a RODC ? (In most cases, we do that to ensure we can still open a session on the RODC in case of a network failure)

You can use the GUI, “DSA.MSC”, open up the “Password replication Policy” tab on the RODC object, click on “Advanced”, and check if your user is in the list. That’s a lot of clicks, here is a PowerShell version :

try {
$obj = [adsisearcher]"cn=RODC-Name"
$obj.propertiesToLoad.Add('msds-revealedlist') | Out-Null
$comp = $obj.FindOne()
}
catch {"KO - ADSISearcher"}

$comp.properties.'msds-revealedlist' | ? {$_ -like "S:10:unicodePwd:CN=SamAccountNameOfYourUser*"}

Please note the “*” after the SamAccountName of the user.

Example :

Offline1

Please also note that we don’t use the “ActiveDirectory” PowerShell module, but if you have the module available, check this cmdlets : Get-ADDomainControllerPasswordReplicationPolicyUsage

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity 2K12R2RODC -RevealedAccounts

Offline1ADPSModule

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.