This article has been archived. It is offered "as is" and will no longer be updated.
This article describes why you cannot view the msDS-RevealedUsers attribute value that is stored on a read-only domain controller (RODC).
When you try to view the msDS-RevealedUsers attribute value on a Windows Server 2008-based RODC, you may receive the following error message:
There is no editor registered to handle this attribute type.
Note However, you can view values for the following attributes:
The msDS-RevealedUsers attribute is a list of security principals whose passwords were replicated to the RODC.
Password Replication Policy (PRP) is a mechanism to determine whether user credentials or computer credentials can be replicated from a writable domain controller to a RODC.
The PRP is defined by the following attributes:
msDS-Reveal-OnDemandGroup This attribute is also known as the Allowed List. This attribute points to the distinguished name (DN) of the Allowed List. The Allowed List member credentials can be replicated to the RODC.
msDS-NeverRevealGroup This attribute points to the DNs of security principals whose credentials are denied replication to the RODC.
msDS-RevealedList This attribute is a list of security principals whose current computer account passwords have been replicated to the RODC.
msDS-RevealedUsers This attribute is a list of all security principals whose passwords have ever been replicated to the RODC.
msDS-AuthenticatedToAccountList This attribute contains a list of security principals in the local domain that have been authenticated by the RODC.