An LDAP Modify of the rODCPurgeAccount attribute causes the RODC to purge cached secret attributes of a specified security principal. The requester must have the "Read-Only-Replication-Secret-Synchronization" control access right on the root of the default NC. The Modify request must be directed to an RODC that hosts an NC replica that contains the specified RODC object. If the RODC to which the operation is directed does not host such an NC, then the error operationsError / ERROR_DS_CANT_FIND_EXPECTED_NC is returned. If the operation is sent to a DC that is not an RODC, then the error operationsError / ERROR_DS_GENERIC_ERROR is returned.
The value specified for the rODCPurgeAccount attribute in the LDAP modify request must be the DN of the object whose secret attributes are to be purged. The DN specified is either an [RFC2253]-style DN or one of the alternative DN formats described in section 184.108.40.206.1.2.4. If the value is not in the specified format or the object does not exist, the server rejects the request with the error operationsError / ERROR_DS_OBJ_NOT_FOUND. The server returns success upon successfully purging the secret attributes of the specified security principal.
The following shows an LDIF sample that performs this operation. This sample purges the cached secret attributes of the user whose DN is "CN=TestUser, CN=Users, DC=Fabrikam, DC=com" from the RODC to which this operation is sent.
dn: changetype: modify replace: rODCPurgeAccount rODCPurgeAccount: CN=TestUser, CN=Users, DC=Fabrikam, DC=com -