A Quick Tip To Allow DSRM Account To Log On Normally

In previous versions of Windows, DSRM Administrator account can log on to a domain controller only in the DSRM (Directory Service Restore Mode). Windows Server 2008 offers new feature for DSRM. A DSRM Administrator can also log on to a domain controller normally (without the DSRM Mode). To enable this you need to heck registry of that domain controller. The following registry must be modified to enable this functionality:

  • KEY NAME: HKLM\System\CurrentControlSet\Control\Lsa
  • Entry Name: DsrmAdminLogonBehavior
  • Type: REG_DWORD
  • Value: 0, 1 or 2

0 – DSRM Administrator can log on only in the DSRM Mode. This is the default behavior.

1 – DSRM Administrator can log on when NTDS is stopped.

2 – DSRM Administrator can log on to domain controller anytime. 


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top