Prepopulate a batch of user passwords to RODC

Introduction

This Windows PowerShell script will prepopulate a batch of user passwords to a specified Read-only Domain Controller. It will leverage the capability of the native command, repadmin. The script will also strictly check the parameters for avoiding any potential human error.

Scenarios

Currently, IT Professionals can only prepopulate user password for one account each time. If IT Professionals have to prepopulate 200 or more user passwords within a very short period of time, the job will turn out to be very stressful and tedious.

Script

Important:

Before you run the script, please add the group to the "Allowed RODC Password Replication Group" or grant the equivalent permission. Otherwise, the script will generate an error message. Actually, the error message is the output of repadmin command.

Step 1: Log on to a writable domain controller that is running Windows Server 2008 R2 with Domain Administrator privilege.

Step 2: Click Start, type powershell in the search box on the Start Menu, right-click Windows PowerShell in the search results, and then click Run as administrator.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

Note:

The script will be terminated by design if any of the above conditions are not met.

PowerShell

Edit|Remove

Function Test-OSCUserPrivilege
{
    #This function is used to check whether the current user has enough privilege to run this script.
    $windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()  
    $windowsPrincipal = New-Object -TypeName System.Security.Principal.WindowsPrincipal($windowsIdentity)  
    $Administrator = [System.Security.Principal.WindowsBuiltInRole]::Administrator  
    $isElevated = $windowsPrincipal.IsInRole($Administrator)
    $isDomainAdmin = $windowsPrincipal.IsInRole("Domain Admins")
    if ($isElevated -and $isDomainAdmin) {
        return $true
    } else {
        return $false
    }
}
 
Function Test-OSCIsWritableDC
{
    #This function is used to check whether the local server is a writeable domain controller.
    Param
    (
        [string]$ComputerName=$env:ComputerName
    )
    $domainController = Get-ADDomainController -Filter {name -eq $ComputerName}
    if ($domainController -ne $null) {
        $isWriteableDC = -not $domainController.IsReadOnly
        return $isWriteableDC
    } else {
        $errMsg = $Messages.CannotFindSpecifiedDC -replace "Placeholder01",$ComputerName
        throw $errMsg
    }
}

Function Test-OSCUserPrivilege 
{ 
    #This function is used to check whether the current user has enough privilege to run this script. 
    $windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()   
    $windowsPrincipal = New-Object -TypeName System.Security.Principal.WindowsPrincipal($windowsIdentity)   
    $Administrator = [System.Security.Principal.WindowsBuiltInRole]::Administrator   
    $isElevated = $windowsPrincipal.IsInRole($Administrator) 
    $isDomainAdmin = $windowsPrincipal.IsInRole("Domain Admins") 
    if ($isElevated -and $isDomainAdmin) { 
        return $true 
    } else { 

        return $false 
    } 
} 
  
Function Test-OSCIsWritableDC 
{ 
    #This function is used to check whether the local server is a writeable domain controller. 
    Param 
    ( 
        [string]$ComputerName=$env:ComputerName 
    ) 
    $domainController = Get-ADDomainController -Filter {name -eq $ComputerName} 
    if ($domainController -ne $null) { 
        $isWriteableDC = -not $domainController.IsReadOnly 
        return $isWriteableDC 
    } else { 
        $errMsg = $Messages.CannotFindSpecifiedDC -replace "Placeholder01",$ComputerName 
        throw $errMsg 
    } 
}

Step 3: Run this script.

Method 1:

If you run this script without specifying any parameters, you will be prompted for them individually. GroupName is the SAM Account Name of a group. It will be used to get the group object. RODCName is the name of a Read-only domain controller. WritableDCName is the NetBIOS name of a writable domain controller. LogFile is a file system path of a text file which will be used for saving the outputs. Please create this empty text file before you run the script.

Method 2:

If you want to run this script as a scheduled task, enter the arguments in the "Add arguments (optional)" textbox. Here is one example:

-File "C:\Scripts\001\PrepopulatePasswordCacheForRODC.ps1" BJUsers CNBJADDSDC02 CNSHADDSDC01 "c:\scripts\results.txt"

"C:\Scripts\001\PrepopulatePasswordCacheForRODC.ps1" - The script file.
BJUsers - The SAM Account Name of a group.
CNBJADDSDC02 - The NetBIOS name of a Read-only Domain Controller.
CNSHADDSDC02 - The NetBIOS name of a writable Domain Controller.
"c:\scripts\results.txt" - A file system path which will be used for saving the outputs.

Prerequisites

Windows PowerShell 2.0
Active Directory PowerShell Module
Any other requirements of prepopulate the password cache for an RODC

Additional Resources

Technical Resource:
Prepopulate the password cache for an RODC
Active Directory Administration with Windows PowerShell

Forum Threads:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4e3507b9-7ed7-4b48-8f6e-40d170d7ab5d
http://forums.techarena.in/active-directory/1244227.htm