If a password replication policy (PRP) is configured and the branch users are added into an allowed password replication group, their passwords are cached on Read-Only Domain Controller when they login to computers at the branch office. However, you can prepopulate their passwords before they login using PowerShell.

Prepopulate Password on Read-Only Domain Controller

Step 1. Open PowerShell with elevated privileges

Step 2. Execute the following script. This will populate the passwords of all users from branch users OU.

$users = Get-ADUser -SearchBase "OU=Branch Users,dc=yourdomain,dc=com" -Filter *

foreach ($user in $users) {
Get-ADObject -identity $user | Sync-ADObject -Source SERVER2016 -Destination SRV-02RODC -PasswordOnly

To confirm the prepopulated passwords, execute the following cmdlet.

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "<SRV-02>" -RevealedAccounts | ft Name,ObjectClass.

Above command when executed will return the password of all users stored on RODC.

How to Prepopulate Password on Read-Only Domain Controller Windows Server 2016 Using PowerShell

Karim Buzdar

About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. You can reach Karim on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *