Remove cached password on RODC

Mise en cache du mot de passe sur RODC

The FAQ on Technet said:

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site[…]

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754956(v=ws.10)

If you want to remove a password stored on a Read Only Domain Controller (RODC), the method is to reset the password of the desired user account. This must be done on a non-RODC domain controller. Thus, the password cached on the RODC will no longer be valid for accessing resources. But… keep reading if you want to manually reset it.

The password remains valid for authentication until the next replication cycle, the date on which the value stored for this password on the RODC becomes NULL. Following this deletion, there are two cases:

  • the password policy (PRP – Password Replication Policy) has not been changed – the user is still present in the msDS-RevealedList. The new password will be cached only after authentication by the user (or if the new password is prefilled by an administrator)
  • password policy has changed to exclude user from msDS-RevealedList – password remains blank on RODC

Force cached password deletion with LDAP

However, if you are on this article, it is to force this deletion. Indeed, there may happen cases where you cannot / do not want to reset the password, for example for a VIP (CEO, etc.).

The LDAP modify operation RODCPurgeAccount set the value to NULL on Security PRinciple (users and computers) passwords cached on the RODC.

To run this RODCPurgeAccount, without the need to modify the password, you can:

  1. Open ldp.exe on a non-RODC and connect it to RODC on 636 (LDAPS). If LDAPS is not enabled, use 389 (LDAP) but be aware the communication will be in clear accros the network, which could lead to domai admin password in case of man in the middle… The best practice is always to use TCP 636
  2. Make a bind on the RODC with an Domain admin account. Select Réaliser un bind sur le serveur avec un compte Admin du domain. Sélectionner Modify (operation)
DN: [vide]
Edit Entry Attribute: RODCPurgeAccount
Values: [DistinguishedName du compte]

Click on Replace > Enter > Run.

You also can do this with PowerShell :

Leave a Reply

2 × one =

Close Menu