In teaching a customized AD for windows server 2008 class this week a great question popped up (Thanks Eugene!)
 
Q: If i remove a user from the Allowed password caching policy, does his already cached password on the RODC get purged?
 
A: No it does not, just changes to the password are not replicated back down to the RODC anymore for that user.
 
     Here is a snippet from the FAQ document linked below…
     

How can you clear a password that is cached on an RODC?

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP (password replication policy) has not been changed.

In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.

 
Here are supporting links and some reference materials in regards to RODC’s and WS2008..
 
 
 
 
 
 
 
Advertisements