The two traditional means for pre-populating passwords has some limitations. Currently, using the Active Directory Users and Computers console or the repadmin command does not allow for the usage of security groups.

Because pre-populating passwords one account at a time or in small batches based on organizational units may not be practical, you can use security groups in a scripted manner. For instance, in order to utilize the same security group that authorizes credential caching on a particular RODC, the following may be used:

For /F %%a in (‘”dsquery group dc=mycompany,dc=com -name <Groupname>| dsget group -members”‘) do (Repadmin /rodcpwdrepl <RODCname> <RWDCname> %%a)

Montoring – Password Replication Policy Administration: