Doing the DSRM sync a different way

On August 22, 2010, in sbs 2008, by

This blog post courtesy of Kevin James, SBS MVP

Now let’s do our DSRM password sync a different way…


Use Group Policy Preferences to deploy a scheduled task targeting only Windows 2008 and Windows 2008 R2 Domain Controllers.



Windows Vista or Windows 7 with RSAT


Server 2008 or 2008 R2 Full with GPMC tools.


For this example we will be using Group Policy Preferences to deploy a scheduled task to all domain controllers. The objective of this task is to automatically synchronize the Directory Services Restore Mode password with a select Domain Account. In this example the default domain administrator account will be used and the command is supported only;

·         2008 SP1 with  KB322672

·         2008 SP2

·         2008 R2


Step 1. Group Policy Object creation

Using the GPMC, create a new Group Policy Object. In this example it is named DSRM Sync

Step 2. – Scheduled task creation

·         Select and right click on the new policy object and select “edit”.

·         Expand the Computer configuration, Preferences, Control Panel Settings.

·         Select the “Scheduled tasks” and right click to create a new scheduled task.



Step 3. – Scheduled task core configuration

·         Select “Create” in the Action drop down box. This action will initially create the task on the select computers.

·         Enter the task name in the “Name:” section. In this example “DSRM Password Sync” is used.

·         The command this example uses is ntdsutil.exe entered in the “Run:” field

·         Provide the necessary “Arguments:” to the image being run. In the example the complete image execution arguments are;

“set dsrm password” “sync from domain account <AccountName>” q q

Note: Proper execution of this command requires the quotes as shown and the <AccountName> substituted with the domain account name to be the password sync source.

·         Set the “Start in:” directory of %systemroot% and includes optional documentation in the “Comments:” Section.


Step 4 – Supply task execution credentials

·         Select the “Run as” checkbox and provide a domain username the task will use. In this example, an account with domain admin membership is needed.

·         Entered the “Password:” and “Confirm Password:” fields. 



Step 5. –  Configure Task run Schedule

·         Select the “Schedule” Tab.

This example configures the task to run at 1:00:00 AM Daily.


Step 6. – Configure Execution limitations

·         Select the “Settings” tab.

This task is expected to complete very quickly and the example configures the task to stop if it runs for 5 minutes.


Step 7. – Enable item level targeting

·         Click on the “Common” tab.

·         Check the “Item-level targeting. Check box.

·         Click on the “Targeting…” button.


Step 8. Add 2008 Domain Controller item

This example will target Server 2008 and Server 2008 R2 Domain Controllers.

·         In the “Targeting editor” window, click “New Item” and select “Operating System”


·         In the lower section of the targeting editor window, select the “Product”, Windows Server 2008.

·         Select the “Computer Role” of “Domain Controller”

·         Repeat this process adding another “New Item” Operating system this time Using the “Product” Windows Server 2008 R2” and “Computer Role” of Domain Controller.


Step 9. Configure the Item Options “OR” conditional

·         Select the second item and then click on the “Item Options”

The examples desired targets will be Windows 2008 Domain Controllers OR Windows 2008 R2 Domain Controllers.

·         Choose the “Or” ( F6 shortcut) item option

·         Click on “OK”

·         Click on “OK” at the “New Task Properties” window.

This completes the Scheduled Task Group Policy Preference configuration.


Step 10 – Review the new GPO

Review the configuration and close the Group Policy Management Editor window.

Step 11 – Link the GPO to the Domain Controllers OU

The new Group Policy object is ready to be linked to the desired Active Directory OU. Typically this would be linked to “Domain Controllers” OU. 

·         In the GPMC, Select the Domain Controllers OU, Right click and select “Link an Exiting GPO”


·         Select the DSRM Sync Group Policy Object and click “OK”

This completes the Scheduled task group policy preference configuration.  

Step  12 – Verification of deployment and operation

After the targeted domain controllers refresh group policies, examine each servers Scheduled tasks list.

In the example below the Domain Controller has received the New Scheduled task and the “last run result” reported a successful completion.




Comments are closed.