I have a Windows Server 2012 Domain Controller. I have configured another Server 2012 machine as a Read-Only Domain Controller. When I log in with domain administrator credential on my RODC I can create objects, but I should not be able to do that.
Why am I not being blocked from creating objects on a RODC?
Best Answer
Your ADUC snap-in, or AD Administration Center (whichever you are using) is likely automatically connecting to your writable domain controller. In ADUC, right click on the domain and click "Change Domain Controller" and point it at your RODC. You won't be able to create objects after you do that.