How To Designate A Domain User To Manage A RODC?

RODC contains the read only copy of Active Directory Domain database. RODC is designed for locations where Administrators have less knowledge of the Active Directory. A user or domain administrator can not perform LDAP write operations on the RODC. This write operation is meant only for Domain database or NTDS.DIT file but RODC still needs to be managed by a user for maintenance purpose such as installing patches, updating antivirus etc. These tasks can be performed only by a local administrator on a member server but RODCs do not have the local administrators as they are part of the Active Directory domain.

You can designate a domain user to perform the maintenance tasks on the RODC by running the following commands on RODC computer:

  • Dsmgmt and then press Enter
  • Type Add user_name Administrators

The above command will report a message "Command completed successfully". The above entry adds the entry at the following location in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RODCRoles

The above registry entry (RODCRoles) contains the list of user accounts who can manage RODC for maintenance purpose.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top