#PSTip Identifying read-only domain controllers

Note: This tip requires PowerShell 2.0 or above.

When you get a list of domain controllers using the AD module, one of the properties each DC has is the IsReadOnly property. When IsReadOnly is set to $true, the domain controller is a read-only domain controller.

Import-Module ActiveDirectory
Get-ADDomainController -Filter * | Select-Object Name,IsReadOnly

One way to get RODCs is to filter the above result using the Where-Object cmdlet:

Get-ADDomainController -Filter * | Where-Object {$_.IsReadOnly -eq $true}

But there’s a better and efficient way than that. Using the Filter parameter you filter the objects on the server and get back just the ones that meet the filter criteria whereas piping to Where-Object will get all objects and only then filtering will occur.

Get-ADDomainController -Filter {IsReadOnly -eq $true}

Without the AD module you can search for read-only domain controllers by querying their primaryGroupID attribute (primary group). RODCs will have a value of 521 which is the “Read-only Domain Controllers” built-in AD group (writable DCs have the primaryGroupID set to 516, which is the “Domain Controllers” group).

([adsisearcher]'(primaryGroupID=521)').FindAll()
Share on: