Fetching directory, one moment please ...
The msDS-RevealOnDemandGroup variable is the allowed list on a Windows 2008 read-only domain controller (RODC). Passwords are cached to the RODC for only for accounts on the allowed list. The default settin for this variable is the built-in security group Allowed RODC Password Replication which contains no members by default. Add accounts to this group to enable replcation of their passwords to the RODC so authentication can occur on that domain controller. Alternatively you can add other groups to the allowed list.
Use repadminto inspect this variable to identify which accounts are allowed to authenticate to this domain controller. TechNet Reference - RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC
|Category:||Directory Services - Directory Service Variable|
|Target Functionality:||Directory Services - Replication|