How to Configure Credential Caching on Read-Only Domain Controller Windows Server 2016 Using PowerShell

Last Updated on April 18, 2021 by admin

We have already configured a Read-Only Domain Controller Windows Server 2016 Using PowerShell. In this related guide, we will see how we can configure credential caching on RODC Windows Server 2016. So when a branch user authenticates, their passwords are replicated and cached on RODC.

Passwords of those users are cached which are in password replication policy (PRP) of Read-Only Domain Controller Windows Server 2016 (It is also important that the computer(s) which users are using to log in  at branch office are also in this group ).  Further PRP has built-in groups Allowed Password Replication Group and Denied Password Replication Group. Some privileged accounts are by default part of denied password replication so their passwords are no cached.

Adding Users to Allowed Password Replication Group Using Powershell

Execute following cmdlet on PowerShell. This will add all users from students OU to allowed password replication group.

Get-ADUser -SearchBase ‘OU=Students,DC=yourdomain,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘Allowed RODC Password Replication Group’ -Members $_ -Confirm:$false }

Make branch user to Login twice to a computer and then check the password cached and stored on RODC by executing following cmdlet. Replace the appropriate values.

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "<RODCMachineName>" -RevealedAccounts | ft Name,ObjectClass

Leave a Comment