Check password replication on a RODC


How can I check if a user account is really replicated on a RODC ? (In most cases, we do that to ensure we can still open a session on the RODC in case of a network failure)

You can use the GUI, “DSA.MSC”, open up the “Password replication Policy” tab on the RODC object, click on “Advanced”, and check if your user is in the list. That’s a lot of clicks, here is a PowerShell version :

try {
$obj = [adsisearcher]"cn=RODC-Name"
$obj.propertiesToLoad.Add('msds-revealedlist') | Out-Null
$comp = $obj.FindOne()
catch {"KO - ADSISearcher"}

$'msds-revealedlist' | ? {$_ -like "S:10:unicodePwd:CN=SamAccountNameOfYourUser*"}

Please note the “*” after the SamAccountName of the user.

Example :


Please also note that we don’t use the “ActiveDirectory” PowerShell module, but if you have the module available, check this cmdlets : Get-ADDomainControllerPasswordReplicationPolicyUsage

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity 2K12R2RODC -RevealedAccounts


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.