Maintain Your Directory Services Restore Mode (DSRM) Password

On your domain controllers, there is an account called the Directory Services Restore Mode account.  This account is quite special - it's not an Active Directory account.  It's a local account, that is isolated to that one domain controller, which means each DC has its own DSRM account with its own unique password.  (You use ntdsutil.exe to change this password.) This comes as a surprise to some people, as they might have thought that Active Directory domain controllers don't have any local accounts.  Well, they have this one.  As the name implies, you would only find yourself using the DSRM account if things have really gone off the rails.  In a disaster recovery scenario, basically.  But when that day comes, you really don't want to have forgotten what the password to that DSRM account is.

What if you have 50 domain controllers in your AD forest?  That means you have to keep up with 50 different DSRM passwords.  And what if your company has a security policy that requires you to change those passwords on a regular basis?

Alright, it's time to automate this.  We have better things to do than sit around changing passwords by hand all day.

So first off, create a new domain user in AD.  Disable the account so that it cannot be logged on to, and name the account something like "DSRM".  Set the account's password to something strong that you will remember and/or have recorded.

Next, create a new Group Policy Object, and link it to the Domain Controllers OU.  You want this policy to apply to all your domain controllers.  Edit the GPO, drill down to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks, and create a new Scheduled Task to be run on all your domain controllers at a regular interval (like, say, once a week.)

This scheduled task will run as the "SYSTEM" account.  For the action you want to run this command:

C:\Windows\System32\ntdsutil.exe "SET DSRM PASSWORD" "SYNC FROM DOMAIN ACCOUNT Dsrm" Q Q

This command will synchronize the local DSRM password on the domain controller to match the password of the "Dsrm" user account in Active Directory.

This means when it comes time to change the DSRM password, you only need to change it once, and that scheduled task will automatically disseminate it to all your DCs, no matter how many DCs you have.

Comments are closed