We have already configured a Read-Only Domain Controller Windows Server 2016 Using PowerShell. In this related guide, we will see how we can configure credential caching on RODC Windows Server 2016. So when a branch user authenticates, their passwords are replicated and cached on RODC.

Passwords of those users are cached which are in password replication policy (PRP) of Read-Only Domain Controller Windows Server 2016 (It is also important that the computer(s) which users are using to log in  at branch office are also in this group ).  Further PRP has built-in groups Allowed Password Replication Group and Denied Password Replication Group. Some privileged accounts are by default part of denied password replication so their passwords are no cached.

Adding Users to Allowed Password Replication Group Using Powershell

Execute following cmdlet on PowerShell. This will add all users from students OU to allowed password replication group.

Get-ADUser -SearchBase ‘OU=Students,DC=yourdomain,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘Allowed RODC Password Replication Group’ -Members $_ -Confirm:$false }

Make branch user to Login twice to a computer and then check the password cached and stored on RODC by executing following cmdlet. Replace the appropriate values.

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "<RODCMachineName>" -RevealedAccounts | ft Name,ObjectClass
How to Configure Credential Caching on Read-Only Domain Controller Windows Server 2016 Using PowerShell

Karim Buzdar

About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.

Leave a Reply

Your email address will not be published. Required fields are marked *