When you create an account for the installation of a read-only domain controller (RODC), you can specify which user or group will be responsible for subsequently attaching the server to the RODC account. If you do not specify a user or group, only a member of the Domain Admins group or the Enterprise Admins group can attach the server to the account. If you do specify a user or group who can attach the server to the account, that user or group will also be responsible for administering the RODC after the installation is complete. You can specify only one user or group for this purpose.
If you want a delegated RODC administrator to be able to have passwords cached on the RODC, you must add the user account for that administrator to the list of security principals who are allowed to cache their passwords on the RODC (also known as the Allowed List), along with the computer account that the delegated administrator will use. Failure to add the corresponding computer account to the Allowed List will prevent the RODC from authenticating the delegated administrator when the connection to a writable domain controller is not available. For more information about the Allowed List and setting the Password Replication Policy (PRP), see Specifying Password Replication Policy.
The user or group that you specify on this page in the Active Directory Domain Services Installation Wizard will have local administrative permissions on the RODC. As a practical matter, this means that the user or group has full control of the server, including the ability to log on locally, install additional software, install device drivers, and so on. The delegated user or group will also be able to remove Active Directory Domain Services (AD DS) from the RODC.
Therefore, delegate RODC installation and administration only to the users and groups that are required to have such access rights and permissions so that they can do their jobs. In addition, assign permissions to security groups rather than to individual users to simplify the process for changing those permissions when necessary.
You may want to create a security group specifically for the purpose of administering the RODC that you plan to deploy, and then specify that group name on this wizard page. That group will then appear in the Name field on the Managed By tab of the RODC properties sheet in the Active Directory Users and Computers snap-in, where you can change it anytime after the installation.
To search the directory for a specific user or group, click Set, and then type the name of the user or group. We recommend that you delegate RODC installation and administration to a group.