1. Create a standard domain user account and set it with a complex password. It does not need to be a member of any special groups or the Domain Admins group.
2. Install the hotfix on your DC and restart.
3. Logon to the DC normally.
4. In an elevated CMD prompt where you have logged on as a Domain Admin, run:
SET DSRM PASSWORD
SYNC FROM DOMAIN ACCOUNT <your user here>
1. Start GPMC on a Windows Server 2008 or Windows Vista computer running RSAT.
2. Create and link a new policy on the Domain Controllers OU ( you are doing all this in a test domain first, right ?).
3. Create the GPP Scheduled task settings.
Note here that I have set:
A) Action of ‘Update’ (this will create the task if it does not exist).
B) Run command of the built-in GPP variable for %SystemDir% to specify the System32 directory, along with the ntdsutil.exe to be called.
C) The command line exactly as it would be done by hand with ntdsutil , including the quotation marks:
“SET DSRM PASSWORD” “SYNC FROM DOMAIN ACCOUNT DsrmUser” Q Q
D) The task is Enabled with a checkbox so that it will run, not just be created.
E) Then I have set this to run as a daily task at 9AM (it’s fairly likely that the DC will be running at that point). I could also run this hourly, weekly, etc – whatever I want.
4. After having created the policy and letting it apply to DC’s, I now see it is working by examining the scheduled tasks on one of my domain controllers. There it is (as well as another one I added to run every night too – can’t be too careful):
5. Once the right time has come and gone, I boot a DC into DS Repair mode and check – sure enough, my new password has taken affect automagically.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.