And you will keep your password updated …

Reading Time: 2 minutes

Implementing effective password policy was always a hard task. Especially when additional accounts like:

  • workstation local administrator account
  • services account (look for W2008R2 new features)
  • name whatever you want account …

comes into equation and you have to make sure that all of them are in compliance with password policy of your company. Not always an easy task.


(cc) F8th

For domain controllers additional password has to be maintained which is Directory Service Restoration Mode (DSRM) user password. This password is stored locally on each DC and if it has to be changed it has to be changed locally on each DC. So far we had some options like:

  • using setpwd.exe tool which can be used to reset this password. Dean (now MSFT) Wells wrote script which depends on this tool but allows this operation to be performed on every DC in a domain.
  • using ntdsutil.exe, which to be honest isn’t most handy tool to perform this task.

Well … it looks like feedback was heard and as result of this feedback we have new KB 961320 article which describes new feature self explained by this KB title: “A feature is available for Windows Server 2008 that lets you synchronize the DSRM Administrator password with a domain user account”.

I have to admit that my first thought was … great, now we can:

  • Define new account  
  • Define new password policy object (we are at W2008 so we can leverage FGPP) and bind it to this object 
  • Create operational procedure to ensure that password of this account will get changed every X days.

Sounds nice, DSRM password management problem is solved. But life isn’t perfect. My colleagues who read that article a bit faster than me pointed me to this section:

This command synchronizes the DSRM Administrator password one time. If you want to perform another synchronization, you must run this command again.

So, our previous implementation plan has to be extended with something like:

  • On each DC create scheduled task which will execute ntdsutil command every X days or execute it remotely on each DC every X days.

Overall solution looks somewhat better than using script every X days to set this password however it isn’t perfect. I have this impression that development of this feature stopped at some point in time but I’m sure we will get updates to it later (or at least I hope) which will extend its functionality (like reset password when password will be changed on given user object).

But this feature is there as a hotfix and if You think that your network operations can benefit from it – grab it and use it.