Policy
Enable password backup for DSRM accounts
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10
When you enable this setting, the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled. If this setting is enabled, the password for the DSRM administrator account on the domain controller will be backed up to Active Directory. If this setting is disabled or not configured, the password for the DSRM administrator account on the domain controller will not be backed up to Active Directory. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\ADBackupDSRMPassword | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerConfigure authorized password decryptorsAt least Microsoft Windows 10 or later
- ComputerConfigure automatic account managementAt least Microsoft Windows 10 or later
- ComputerConfigure password backup directoryAt least Microsoft Windows 10 or later
- ComputerConfigure size of encrypted password historyAt least Microsoft Windows 10 or later
- ComputerDo not allow password expiration time longer than required by policyAt least Microsoft Windows 10 or later
- ComputerEnable password encryptionAt least Microsoft Windows 10 or later
- ComputerName of administrator account to manageAt least Microsoft Windows 10 or later
- ComputerPassword SettingsAt least Microsoft Windows 10 or later
- ComputerPost-authentication actionsAt least Microsoft Windows 10 or later