Synchronize DSRM password with a domain account
Directory Services Restore Mode (DSRM) password is one of the most critical logins in Windows environments. With this password a user can restart a domain controller, copy or change the Active Directory database and many other actions completely anonymously. This is why this password should be protected efficiently.
The password can be change using ntdsutil.exe and the credential is server based, so you have to change the password to every server if you wish to keep the status somewhat organized.
Since Windows Server 2008 SP3 (hotfix) there has been a chance to sync this DSRM password with a Domain User account’s password. This is very useful because managing the password policy of a domain user is much more easier than DSRM password.
The sync can be implemented using ntdsutil.exe by running the tool with the following arguments where dsrmuser is the account name of the desired user:
“set dsrm password” “sync from domain account dsrmuser” q q
To further expand the possibilities you can automate the process using Task Scheduler to schedule the sync on every DC. You can also implement this scheduled task via Group Policy Preferences.