Reset the DSRM password

Language: English

Active Directory will always validate a new Directory Services Repair Mode password to make sure it meets the domain’s password complexity requirements; this validation also calls into password filter dlls like Microsoft Entra Password Protection. If the new DSRM password is rejected, the following error message results:

C:\>ntdsutil.exe ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server null Please type password for DS Restore Mode Administrator Account: ******** Please confirm new password: ******** Setting password failed. WIN32 Error Code: 0xa91 Error Message: Password doesn't meet the requirements of the filter dll's

When Microsoft Entra Password Protection logs the password validation event log event(s) for an Active Directory DSRM password, it is expected that the event log messages will not include a user name. This behavior occurs because the DSRM account is a local account that is not part of the actual Active Directory domain.

To reset the DSRM Password use the following command line

C:\>ntdsutil.exe ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server null Please type password for DS Restore Mode Administrator Account: ******** Please confirm new password: ******** The password has successfully been reset (CTRL + C) to exit

“reset password on server null” null means reset on local machine