A Quick Tip To Allow DSRM Account To Log On Normally

by [Published on 22 Oct. 2009 / Last Updated on 29 April 2009]

This article explains a registry heck which can be used to allow DSRM User Account to log on normally in Windows Server 2008. This applies to Windows Server 2008 only.

In previous versions of Windows, DSRM Administrator account can log on to a domain controller only in the DSRM (Directory Service Restore Mode). Windows Server 2008 offers new feature for DSRM. A DSRM Administrator can also log on to a domain controller normally (without the DSRM Mode). To enable this you need to heck registry of that domain controller. The following registry must be modified to enable this functionality:

  • KEY NAME: HKLM\System\CurrentControlSet\Control\Lsa
  • Entry Name: DsrmAdminLogonBehavior
  • Type: REG_DWORD
  • Value: 0, 1 or 2

0 - DSRM Administrator can log on only in the DSRM Mode. This is the default behavior.

1 - DSRM Administrator can log on when NTDS is stopped.

2 - DSRM Administrator can log on to domain controller anytime. 


See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP, and was awarded Microsoft MVP in Directory Services. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles for various online communities. Nirmal can also be found contributing to PowerShell based Dynamic Packs for ADHealthProf.ITDynamicPacks.Net solutions.

Featured Links