Securely managing RODCs

If you need to administer a RODC, do it remotely. Don’t log on locally to a RODC with your domain admin account or you’ll compromise it’s security. Instead, if you MUST log on locally to a RODC, create and use a temporary domain user account for that purpose and add this user to whatever security group you have delegated authority for administering RODCs. Delegation of RODC installation and administration is assigned to a group or user when you run the Active Directory Installation Wizard to promote a server to a RODC, but you can also specify a group or user for delegation afterwards by opening the properties of the computer account for the RODC and selecting the Managed By tab. Then once you’ve finished performing whatever admin tasks you logged on locally to the RODC to perform, you should delete the temporary user account for security reasons. More here:

The above tip was previously published in an issue of WServerNews, a weekly newsletter from TechGenix that focuses on the administration, management and security of the Windows Server platform in particular and cloud solutions in general. Subscribe to WServerNews today by going to and join almost 100,000 other IT professionals around the world who read our newsletter!

Mitch Tulloch is an eleven-time recipient of the Microsoft Most Valuable Professional (MVP) award and a widely recognized expert on Windows Server and cloud computing technologies.  Mitch is also Senior Editor of WServerNews. For more information about him see

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top