In previous versions of Windows, DSRM Administrator account can log on to a domain controller only in the DSRM (Directory Service Restore Mode). Windows Server 2008 offers new feature for DSRM. A DSRM Administrator can also log on to a domain controller normally (without the DSRM Mode). To enable this you need to heck registry of that domain controller. The following registry must be modified to enable this functionality:
- KEY NAME: HKLM\System\CurrentControlSet\Control\Lsa
- Entry Name: DsrmAdminLogonBehavior
- Type: REG_DWORD
- Value: 0, 1 or 2
0 - DSRM Administrator can log on only in the DSRM Mode. This is the default behavior.
1 - DSRM Administrator can log on when NTDS is stopped.
2 - DSRM Administrator can log on to domain controller anytime.