A. Using the DsrmAdminLogonBehavior registry value, you can allow the DSRM administrator account to log on to controller DC when its AD DS is stopped. This would be useful if you've stopped the local AD DS service, no other DCs are available, and you logged off or your password-protected screen saver activated.

The registry value is located at HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior. Its possible values are:

  • 0 (default): You can only use the DSRM administrator account if the DC is started in DSRM.
  • 1: You can use the DSRM administrator account to log on if the local AD DS service is stopped.
  • 2: You can always use the DSRM administrator account (This setting isn't recommended, because password policies don't apply to the DSRM administrator account).
Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.