Add users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.
Syntax
Add-ADDomainControllerPasswordReplicationPolicy
-AllowedList ADPrincipal[] [[-Identity] ADDomainController]
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-Server string]] [-Confirm] [-WhatIf] [CommonParameters]
Add-ADDomainControllerPasswordReplicationPolicy
-DeniedList ADPrincipal[] [[-Identity] ADDomainController]
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-Server string]] [-Confirm] [-WhatIf] [CommonParameters]
Key
-AllowedList ADPrincipal[]
The users, computers, groups or other accounts to add to the list of accounts allowed to
replicate their passwords to this Read-only domain controller (RODC).
Specify more than one value with a comma-separated list.
Identify each user, computer, or group, with one of the following property values:
Distinguished name
Example: CN=MikeHsu,CN=employees,CN=Users,DC=SS64,DC=com
GUID (objectGUID)
Example: 989c3d2e-f72d-4d20-8a64-030d94795f20
Security identifier (objectSid)
Example: S-1-5-21-4795297888-301567370-576410423-1103
Security accounts manager (SAM) account name (sAMAccountName)
Example: MikeHsu
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-DeniedList ADPrincipal[]
The users, computers, groups or other accounts to add to the list of accounts allowed to
replicate their passwords to this Read-only domain controller (RODC).
Specify more than one value with a comma-separated list.
Identify each user, computer, or group, with one of the following property values:
Distinguished name
Example: CN=MikeHsu,CN=employees,CN=Users,DC=SS64,DC=com
GUID (objectGUID)
Example: 989c3d2e-f72d-4d20-8a64-030d94795f20
Security identifier (objectSid)
Example: S-1-5-21-4795297888-301567370-576410423-1103
Security accounts manager (SAM) account name (sAMAccountName)
Example: MikeHsu
-Identity ADDomainController
An Active Directory domain controller object
This can be provided as one of the following values. (The identifier in parentheses is
the LDAP provider name for the attribute).
Unless specified otherwise, these values are for the server object that
represents the domain controller.
GUID (objectGUID)
Example: 768c44de-f72d-66e0-7a88-0363ca495f20
IPV4Address
Example:157.59.162.61
Global IPV6Address
Example: 2401:6498:0:fff:600:5efe:157.59.132.61
DNS Host Name (dNSHostName)
Example: corp-DC01.corp.SS64.com
Name of the server object
Example: corp-DC01$
Distinguished Name of the NTDS Settings object
Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=Sites,CN=Configuration,DC=corp,DC=SS64,DC=co
Distinguished Name of the server object that represents the domain controller
Example: CN=CORP-DC12,CN=Servers,CN=Sites,CN=Configuration,DC=corp,DC=SS64,DC=com
GUID of NTDS settings object under the configuration partition
Example: 68adaf21-e28d-6012-bca8-320d93450ab0
GUID of server object under the configuration partition
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Distinguished Name of the computer object that represents the domain controller.
Example: CN=CORP-DC12,OU=Domain Controllers,DC=corp,DC=SS64,DC=com
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get an object through the pipeline or the parameter may be
set to an object instance.
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
Add-ADDomainControllerPasswordReplicationPolicy adds one or more users, computers, and groups to the allowed or denied list of a read-only domain controller (RODC) password replication policy.
The -Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication
policy. Identify a domain controller by its GUID, IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object of the server object, the GUID of the NTDS settings object of the
server object under the configuration partition, or the DN of the computer object that represents the domain controller. Alternatively set the -Identity parameter to a domain controller object variable, or pass an object through the PowerShell pipeline. e.g. using Get-ADDomainController. You must specify a read-only domain controller.
The -AllowedList parameter specifies the users, computers, and groups to add to the allowed list. Similarly, the -DeniedList parameter specifies the users, computers, and groups to add to the denied list. You must specify either one
or both of -AllowedList and -DeniedList. To specify more than one user/group/computer, use a comma-separated list. If a specified user, computer, or group is not on the allowed or denied list, the cmdlet does not
return an error.
Add user accounts to the Allowed list on a given RODC with the specified SamAccountNames:
PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -AllowedList "PeterFalk", "AliceLiddell"
Add user accounts to the Denied list on a given RODC with the specified SamAccountNames:
PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -DeniedList "PatrickMcGoohan", "Leslie Nielsen"
“It has beeen said that the love of money is the root of all evil. The want of money is so quite as truly” ~ Samuel Butler
Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies.