Photo by Sam Pak / Unsplash
Remove cached password on RODC

Remove cached password on RODC

Published on 04 Jan 2020

Bastien Perez
Bastien Perez


Microsoft FAQ

The FAQ on Technet said:

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site[…]

If you want to remove a password stored on a Read Only Domain Controller (RODC), the method is to reset the password of the desired user account. This must be done on a non-RODC domain controller. Thus, the password cached on the RODC will no longer be valid for accessing resources. But… keep reading if you want to manually reset it.

The password remains valid for authentication until the next replication cycle, the date on which the value stored for this password on the RODC becomes NULL. Following this deletion, there are two cases:

  • the password policy (PRP – Password Replication Policy) has not been changed – the user is still present in the msDS-RevealedList. The new password will be cached only after authentication by the user (or if the new password is prefilled by an administrator)
  • password policy has changed to exclude user from msDS-RevealedList – password remains blank on RODC

Force cached password deletion with LDAP

However, if you are on this article, it is to force this deletion. Indeed, there may happen cases where you cannot / do not want to reset the password, for example for a VIP (CEO, etc.).

The LDAP modify operation RODCPurgeAccount set the value to NULL on Security PRinciple (users and computers) passwords cached on the RODC.

To run this RODCPurgeAccount, without the need to modify the password, you can:

  1. Open ldp.exe on a non-RODC and connect it to RODC on 636 (LDAPS). If LDAPS is not enabled, use 389 (LDAP) but be aware the communication won't be secure accros the network, which could lead to credentials leak  in case of man in the middle… The best practice is always to use always use encrypted LDAP (TCP 636 or TCP 389 with STARTTLS) when using high privileged credentials.
  2. Make a bind on the RODC with an Domain admin account. Select Modify operation
DN: [empty]
Edit Entry Attribute: RODCPurgeAccount
Values: [DistinguishedName]

Click on Replace > Enter > Run.

Force cached password deletion with PowerShell

You also can do this with PowerShell:

$NTDSPDCEmulator = ([ADSI]'').fsmoroleowner[0]
$PDCEmulator = ([ADSI]"LDAP://$NTDSPDCEmulator").Parent
$PDC = ([ADSI]$PDCEmulator).DnsHostName

# Distinguished Name of the user
$userDN = "CN=xxxx,DC=yyy,DC=zzz"

Invoke-Command -ScriptBlock {
	$temp = [io.path]::GetTempFileName()
    Set-Content -Path $temp -Value @"
dn: $userDN
changetype: modify
replace: RODCPurgeAccount
RODCPurgeAccount: Null

    ldifde -i -f $temp
	Remove-Item -Force $temp
} -ComputerName $PDC


banner-Bastien Perez
Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace