Starting with Windows 2008, Microsoft has created a feature called Password Replication Policy (PRP). It is an element of control on “credential caching.” In scenarios where protected groups, computer objects, and users’ credentials need to be guarded against potential breached of remote zones, their passwords will need to be non-cacheable on such RODC’s.
Furthermore, Windows 2012 adds two default security groups that automatically generates during the RODC setup process.
- Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.
- Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account Operators, and Denied RODC Password Replication Group.
Of course, the local Administrators Group are also available on RODC – this group does not exist on writable DC’s. Members of the local Administrators group will give full control over such zoned environment. Hence, the RODC local SAM architecture resembles a “member server,” rather than a typical domain controller. It’s important to note that local admin accounts on member servers and RODC’s will not propagate to the parent DC’s.