Policy

Enable password backup for DSRM accounts

When you enable this setting, the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled. If this setting is enabled, the password for the DSRM administrator account on the domain controller will be backed up to Active Directory. If this setting is disabled or not configured, the password for the DSRM administrator account on the domain controller will not be backed up to Active Directory. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Policy
Pack Microsoft Windows
Category System / LAPS
Policy ID 6ae795e60a03
Internal name LAPS_ADBackupDSRMPassword

Registry

Copy registry mappings

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\ADBackupDSRMPassword (enabled) = 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\ADBackupDSRMPassword (disabled) = 0

Policy notes

When you enable this setting, the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled. If this setting is enabled, the password for the DSRM administrator account on the domain controller will be backed up to Active Directory. If this setting is disabled or not configured, the password for the DSRM administrator account on the domain controller will not be backed up to Active Directory. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Related policies

Configure authorized password decryptorsConfigure automatic account managementConfigure password backup directoryConfigure size of encrypted password historyDo not allow password expiration time longer than required by policyEnable password encryptionName of administrator account to manage