Rule ID
SV-243479r1153403_rule
Version
V3R7
CCIs
CCI-000366
The DSRM password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someone with local access to the DC can reboot the server and copy or modify the Active Directory database without leaving any trace of the activity. Failure to change the DSRM password periodically could allow compromise of the Active Directory. It could also allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery. Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on a Microsoft Entra-joined or Windows Server Active Directory-joined devices. Windows LAPS can also be used to automatically manage and back up the DSRM account password on a Windows Server Active Directory DC. An authorized administrator can retrieve the DSRM password and use it.
Verify the DSRM password for each DC is changed at least annually.
If logs are retained locally for a sufficient amount of time to capture the log event, the following command will indicate the password reset:
PS C:\> Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4794} | Format-Table -Property TimeCreated, Message
TimeCreated Message
----------- -------
10/29/2025 4:47:12 PM An attempt was made to set the Directory Services Restore Mode...
If logs are not available, review the site processes around DSRM password reset to determine compliance.
If DSRM passwords are not changed for each DC in the domain at least annually, this is a finding.Change the DSRM passwords on each DC at least annually with the following commands: C:\> ntdsutil C:\Windows\system32\ntdsutil.exe: Set DSRM Password Reset DSRM Administrator Password: Reset Password on server <servername> Follow prompts to reset the password.