A Quick Tip To Allow DSRM Account To Log On Normally

by [Published on 22 Oct. 2009 / Last Updated on 29 April 2009]

This article explains a registry heck which can be used to allow DSRM User Account to log on normally in Windows Server 2008. This applies to Windows Server 2008 only.

In previous versions of Windows, DSRM Administrator account can log on to a domain controller only in the DSRM (Directory Service Restore Mode). Windows Server 2008 offers new feature for DSRM. A DSRM Administrator can also log on to a domain controller normally (without the DSRM Mode). To enable this you need to heck registry of that domain controller. The following registry must be modified to enable this functionality:

  • KEY NAME: HKLM\System\CurrentControlSet\Control\Lsa
  • Entry Name: DsrmAdminLogonBehavior
  • Type: REG_DWORD
  • Value: 0, 1 or 2

0 - DSRM Administrator can log on only in the DSRM Mode. This is the default behavior.

1 - DSRM Administrator can log on when NTDS is stopped.

2 - DSRM Administrator can log on to domain controller anytime. 


See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.

Featured Links