Code to be used in the process to reset the DSRM Placeholder Account password while removing (allowing sync) or adding (denying sync) restrictions

Resetting-The-DSRM-Placeholder-Account-Password-For-RODCs.ps1

# SOURCE: https://gist.github.com/zjorz/fc6a4f33539fcfaaa11a6c11c564f37d/

Invoke-Command -ScriptBlock {

	Clear-Host

	$scriptMode = "ADSIorSDSP" # "ADSIorSDSP" Or "ADPoSH"

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "###        RESETTING THE DSRM PLACEHOLDER ACCOUNT PASSWORD FOR RODCs        ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow

	# Some Basics
	$action = "ALLOW_PWD_RESET_SYNC" # "ALLOW_PWD_RESET_SYNC" Or "DISALLOW_PWD_RESET_SYNC"			# CONFIGURE THIS!
	$dsrmRODCsSamAccountName = "dsrm.RODCs"
	$controlAttribute = "extensionAttribute1"
	$controlValue = "RESET"
	$systemSecurityPrincipalStringSID = "S-1-5-18" # 'NT AUTHORITY\SYSTEM' Well-Known Security Principal
	$systemSecurityPrincipal = $(New-Object System.Security.Principal.SecurityIdentifier($systemSecurityPrincipalStringSID)).Translate([System.Security.Principal.NTAccount])
	$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"GenericAll" 				# Full Control
	$aclTypeAllow = [System.Security.AccessControl.AccessControlType]::"Allow"						# Allow ACE
	$aclTypeDeny = [System.Security.AccessControl.AccessControlType]::"Deny"						# Deny ACE
	$accessInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None"	# This Object Only
	$scopedObjectSchemaIDGuid = "00000000-0000-0000-0000-000000000000" 								# All
	$scopedAttributeSchemaIDGuid = "00000000-0000-0000-0000-000000000000" 							# All
	$aceDefinitionAllow = $systemSecurityPrincipal,$rightsCollection,$aclTypeAllow,$scopedAttributeSchemaIDGuid,$accessInheritanceType,$scopedObjectSchemaIDGuid
	$aceDefinitionDeny = $systemSecurityPrincipal,$rightsCollection,$aclTypeDeny,$scopedAttributeSchemaIDGuid,$accessInheritanceType,$scopedObjectSchemaIDGuid

	If ($scriptMode -eq "ADSIorSDSP") {
		$adDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
		$adDomainDN = $adDomain.GetDirectoryEntry().Properties["DistinguishedName"].Value
		$adDomainNetBIOSName = $adDomain.GetDirectoryEntry().Properties["Name"].Value
		$rwdcPDCFSMOFQDN = $adDomain.PdcRoleOwner.Name
	}

	If ($scriptMode -eq "ADPoSH") {
		Import-Module ActiveDirectory
		$adDomain = Get-ADdomain -Current LocalComputer
		$adDomainDN = $adDomain.DistinguishedName
		$adDomainNetBIOSName = $adDomain.NetBIOSName
		$rwdcPDCFSMOFQDN = $adDomain.PDCEmulator
	}

	# DSRM Placeholder Account
	$dsrmAdmAccount = $null

	If ($scriptMode -eq "ADSIorSDSP") {
		$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
		$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
		$adsiSearcher.Filter = "(sAMAccountName=$dsrmRODCsSamAccountName)"
		$dsrmAdmAccountObject = $adsiSearcher.FindOne()
		$dsrmAdmAccountDN = $dsrmAdmAccountObject.Properties.distinguishedname[0]
	}

	If ($scriptMode -eq "ADPoSH") {
		$dsrmAdmAccountObject = Get-ADUser -SearchBase $adDomainDN -LDAPFilter "(sAMAccountName=$dsrmRODCsSamAccountName)" -Properties $controlAttribute -Server $rwdcPDCFSMOFQDN
		$dsrmAdmAccountDN = $dsrmAdmAccountObject.DistinguishedName
	}

	# Define The Random Password 2x 32 Characters In Total For The Placeholder DSRM Account For RODCs
	#$pwdPart1DSRMRODCs = $(-join (33..126 | ForEach-Object {[char]$_} | Get-Random -Count 32))                   # 32 Characters Consisting Of Upper-Case And Lower-Case Letters, Numbers And Symbols
	#$pwdPart2DSRMRODCs = $(-join (33..126 | ForEach-Object {[char]$_} | Get-Random -Count 32))                   # 32 Characters Consisting Of Upper-Case And Lower-Case Letters, Numbers And Symbols
	$pwdPart1DSRMRODCs = $(-join (48..57+65..90+97..122 | ForEach-Object {[char]$_} | Get-Random -Count 32))      # 32 Characters Consisting Of Upper-Case And Lower-Case Letters And Numbers
	$pwdPart2DSRMRODCs = $(-join (48..57+65..90+97..122 | ForEach-Object {[char]$_} | Get-Random -Count 32))      # 32 Characters Consisting Of Upper-Case And Lower-Case Letters And Numbers
	$pwdDSRMRODCs = $pwdPart1DSRMRODCs + $pwdPart2DSRMRODCs

	# Set The New Known Password For The Placeholder DSRM Account For RODCs And Removing Restrictions
	If ($action -eq "ALLOW_PWD_RESET_SYNC") {
		Write-Host ""
		Write-Host "Setting New Password For Placeholder DSRM Account For RODCs ('$dsrmRODCsSamAccountName') And REMOVING Sync Restrictions..." -Foregroundcolor Yellow

		If ($scriptMode -eq "ADSIorSDSP") {
			$dsrmAccountObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$dsrmAdmAccountDN"
			$dsrmAccountObject.Put($controlAttribute, $controlValue)
			$dsrmAccountObject.SetInfo()
			$dsrmAccountObject.RefreshCache()
			$dsrmAccountObject.SetPassword($pwdDSRMRODCs)
			$dsrmAccountObject.RefreshCache()
			$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionAllow)
			$dsrmAccountObject.PSBase.ObjectSecurity.RemoveAccess($systemSecurityPrincipal, $aclTypeDeny)
			$dsrmAccountObject.PSBase.ObjectSecurity.AddAccessRule($accessRule)
			$dsrmAccountObject.PSBase.CommitChanges()
		}

		If ($scriptMode -eq "ADPoSH") {
			Set-ADUser -Identity $dsrmRODCsSamAccountName -Replace @{$controlAttribute = $controlValue} -Server $rwdcPDCFSMOFQDN
			Set-ADAccountPassword -Identity $dsrmRODCsSamAccountName -NewPassword $(ConvertTo-SecureString $pwdDSRMRODCs -AsPlainText -Force) -Server $rwdcPDCFSMOFQDN
			$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionAllow)
			$adDrive = New-PSDrive -Name "CustomADDrive" -Root "" -PSProvider ActiveDirectory -Server $rwdcPDCFSMOFQDN
			$dsrmAdmAccountRODCsACL = Get-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
			$dsrmAdmAccountRODCsACL.RemoveAccess($systemSecurityPrincipal, $aclTypeDeny)
			$dsrmAdmAccountRODCsACL.AddAccessRule($accessRule)
			$dsrmAdmAccountRODCsACL | Set-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
			Remove-PSDrive $adDrive
		}

		$targetedRWDCContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $rwdcPDCFSMOFQDN)
		$targetedRWDCObject = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($targetedRWDCContext)
		$objectMetadataOnRWDC = $targetedRWDCObject.GetReplicationMetadata($dsrmAdmAccountDN)
		$orgDateTimeOnRWDC = $(Get-Date (Get-Date $objectMetadataOnRWDC.unicodepwd.LastOriginatingChangeTime).ToUniversalTime() -Format "yyyy-MM-ddTHH:mm:ss")
		$versionOnRWDC = $objectMetadataOnRWDC.unicodepwd.Version

		Write-Host ""
		Write-Host " > Script Mode...........: $scriptMode" -Foregroundcolor Yellow
		Write-Host " > Action................: $action" -Foregroundcolor Yellow
		Write-Host " > sAMAccountName........: $dsrmRODCsSamAccountName" -Foregroundcolor Yellow
		Write-Host " > msDS-PrincipalName....: $adDomainNetBIOSName\$dsrmRODCsSamAccountName" -Foregroundcolor Yellow
		Write-Host " > RWDC FQDN.............: $rwdcPDCFSMOFQDN" -Foregroundcolor Yellow
		Write-Host " > Org Date/Time On RWDC.: $orgDateTimeOnRWDC" -Foregroundcolor Yellow
		Write-Host " > Version On RWDC.......: $versionOnRWDC" -Foregroundcolor Yellow
		Write-Host " > Password..............: $pwdDSRMRODCs (<- Store In Secure Vault!)" -Foregroundcolor Cyan
		Write-Host ""
	}

	# Set The New Random Unknown Password For The Placeholder DSRM Account For RODCs And Adding Restrictions
	If ($action -eq "DISALLOW_PWD_RESET_SYNC") {
		Write-Host ""
		Write-Host "Setting Random Password For Placeholder DSRM Account For RODCs ('$dsrmRODCsSamAccountName') And ADDING Sync Restrictions..." -Foregroundcolor Yellow

		If ($scriptMode -eq "ADSIorSDSP") {
			[int]$ADS_PROPERTY_CLEAR = 1	# Clear All Values, Specify 0 As The New Value
			$dsrmAccountObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$dsrmAdmAccountDN"
			$dsrmAccountObject.PutEx($ADS_PROPERTY_CLEAR, $controlAttribute, 0)
			$dsrmAccountObject.SetInfo()
			$dsrmAccountObject.RefreshCache()
			$dsrmAccountObject.SetPassword($pwdDSRMRODCs)
			$dsrmAccountObject.RefreshCache()
			$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionDeny)
			$dsrmAccountObject.PSBase.ObjectSecurity.RemoveAccess($systemSecurityPrincipal, $aclTypeAllow)
			$dsrmAccountObject.PSBase.ObjectSecurity.AddAccessRule($accessRule)
			$dsrmAccountObject.PSBase.CommitChanges()
		}

		If ($scriptMode -eq "ADPoSH") {
			Set-ADUser -Identity $dsrmRODCsSamAccountName -Clear $controlAttribute -Server $rwdcPDCFSMOFQDN
			Set-ADAccountPassword -Identity $dsrmRODCsSamAccountName -NewPassword $(ConvertTo-SecureString $pwdDSRMRODCs -AsPlainText -Force) -Server $rwdcPDCFSMOFQDN
			$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionDeny)
			$adDrive = New-PSDrive -Name "CustomADDrive" -Root "" -PSProvider ActiveDirectory -Server $rwdcPDCFSMOFQDN
			$dsrmAdmAccountRODCsACL = Get-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
			$dsrmAdmAccountRODCsACL.RemoveAccess($systemSecurityPrincipal, $aclTypeAllow)
			$dsrmAdmAccountRODCsACL.AddAccessRule($accessRule)
			$dsrmAdmAccountRODCsACL | Set-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
			Remove-PSDrive $adDrive
		}
		Write-Host ""

		Write-Host " > Script Mode...........: $scriptMode" -Foregroundcolor Yellow
		Write-Host " > Action................: $action" -Foregroundcolor Yellow
		Write-Host " > sAMAccountName........: $dsrmRODCsSamAccountName" -Foregroundcolor Yellow
		Write-Host " > msDS-PrincipalName....: $adDomainNetBIOSName\$dsrmRODCsSamAccountName" -Foregroundcolor Yellow
		Write-Host " > Password..............: ...RANDOM AND UNKNOWN..." -Foregroundcolor Cyan
		Write-Host ""
	}
}