Your network contains an Active Directory domain named contoso.com.
The domain has a branch site that contains a read-only domain controller (RODC) named
RODC1.
A user named User1 is a member of the Allowed RODC Password Replication Group. User1
frequently logs on to a computer in the branchsite.
You remove User1 from the Allowed RODC Password Replication Group.
You need to ensure that the password of User1 is no longer cached on RODC1.
What should you do?
A.
Add User1 to the Denied RODC Password Replication Group, and then force Active
Directory replication.
B.Run repadmin /rodcpwdrepl rodc2.contoso.com dc.contoso.com cn=User1,cnusers,dc=contoso,dc-com.
C.Run repadmin /prp delete rodcl.contoso.com allow cn=User1, cn=users,
dc=contoso,dc=com.
D.Reset the password of User1, and then force Active Directory replication.
Answer looks to be: D
https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
By default, if a user is not in the denied and not in the allowed groups, their password cache request is rejected. Therefore a simple password reset and AD repl should do it.
My reference, referring to the logic of my answer:
https://i-technet.sec.s-msft.com/dynimg/IC195268.gif
D .
How can you clear a password that is cached on an RODC?
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.
In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.
I guess is C-Run repadmin /prp delete rodcl.contoso.com allow cn=User1, cn=users,
dc=contoso,dc=com.
repadmin /prp -> Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC
Syntax
repadmin /prp delete allow {|/all}
repadmin /prp delete auth2 /all
Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)
https://technet.microsoft.com/en-us/library/cc835090(v=ws.11).aspx#BKMK_Del