This article explains a registry heck which can be used to allow DSRM User Account to log on normally in Windows Server 2008. This applies to Windows Server 2008 only.
In previous versions of Windows, DSRM Administrator account can log on to a domain controller only in the DSRM (Directory Service Restore Mode). Windows Server 2008 offers new feature for DSRM. A DSRM Administrator can also log on to a domain controller normally (without the DSRM Mode). To enable this you need to heck registry of that domain controller. The following registry must be modified to enable this functionality:
- KEY NAME: HKLM\System\CurrentControlSet\Control\Lsa
- Entry Name: DsrmAdminLogonBehavior
- Type: REG_DWORD
- Value: 0, 1 or 2
0 - DSRM Administrator can log on only in the DSRM Mode. This is the default behavior.
1 - DSRM Administrator can log on when NTDS is stopped.
2 - DSRM Administrator can log on to domain controller anytime.
About Nirmal Sharma
Nirmal is a Microsoft MVP in Directory Services and working as a Technical Architect/Consultant. He has been involved in Microsoft Technologies since 1994 and followed the progression of Microsoft Operating Systems and software. He is specialized in Directory Services, Microsoft Clustering, SQL, MOM, Exchange and Citrix. In his spare time, he likes to help others and write "internal" technical articles, white papers and tips on various Microsoft technologies. You can contact him at nirmal_sharma@mvps.org.
Article not looking right or info is missing? Let us know so that we can fix it: .
