How To Designate A Domain User To Manage A RODC?

by [Published on 14 Jan. 2010 / Last Updated on 31 May 2009]

This article explains how you can delegate administration of RODC to a domain user.

RODC contains the read only copy of Active Directory Domain database. RODC is designed for locations where Administrators have less knowledge of the Active Directory. A user or domain administrator can not perform LDAP write operations on the RODC. This write operation is meant only for Domain database or NTDS.DIT file but RODC still needs to be managed by a user for maintenance purpose such as installing patches, updating antivirus etc. These tasks can be performed only by a local administrator on a member server but RODCs do not have the local administrators as they are part of the Active Directory domain.

You can designate a domain user to perform the maintenance tasks on the RODC by running the following commands on RODC computer:

  • Dsmgmt and then press Enter
  • Type Add user_name Administrators

The above command will report a message "Command completed successfully". The above entry adds the entry at the following location in the registry:


The above registry entry (RODCRoles) contains the list of user accounts who can manage RODC for maintenance purpose.

See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.

Featured Links