Directory Service Restore Mode (DSRM) Administrator could only log on to a domain controller while DSRM was in effect. In Windows Server 2008 there 's a new feature allowing to control the way the DSRM Administrator may run. To change the default behavior, use registry editor to enter the value mentioned below. Please keep in mind that any registry changes may render your system non-functional if applied incorrectly.
HKLM\System\CurrentControlSet\Control\Lsa
Key name: DsrmAdminLogonBehavior
Entry type: REG_DWORD
Value: 0, 1 or 2
where
0 forces DSRM Administrator to log on only in the DSRM Mode. This is the default behavior.
1 means DSRM Administrator can log on when NTDS is stopped.
2 means DSRM Administrator can log on to domain controller anytime.
HKLM\System\CurrentControlSet\Control\Lsa
Key name: DsrmAdminLogonBehavior
Entry type: REG_DWORD
Value: 0, 1 or 2
where
0 forces DSRM Administrator to log on only in the DSRM Mode. This is the default behavior.
1 means DSRM Administrator can log on when NTDS is stopped.
2 means DSRM Administrator can log on to domain controller anytime.
