Add-ADDomainControllerPasswordReplicationPolicy

Add users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.

Syntax
      Add-ADDomainControllerPasswordReplicationPolicy
         -AllowedList ADPrincipal[] [[-Identity] ADDomainController]
            [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
               [-Server string]] [-Confirm] [-WhatIf] [CommonParameters]

      Add-ADDomainControllerPasswordReplicationPolicy
         -DeniedList ADPrincipal[] [[-Identity] ADDomainController]
            [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
               [-Server string]] [-Confirm] [-WhatIf]  [CommonParameters]

Key
   -AllowedList ADPrincipal[]
       The users, computers, groups or other accounts to add to the list of accounts allowed to
       replicate their passwords to this Read-only domain controller (RODC).
       Specify more than one value with a comma-separated list. 

       Identify each user, computer, or group, with one of the following property values:
          Distinguished name
              Example:  CN=MikeHsu,CN=employees,CN=Users,DC=SS64,DC=com
          GUID  (objectGUID) 
              Example:  989c3d2e-f72d-4d20-8a64-030d94795f20
          Security identifier (objectSid)
              Example:  S-1-5-21-4795297888-301567370-576410423-1103
          Security accounts manager (SAM) account name  (sAMAccountName)
              Example:  MikeHsu

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -DeniedList ADPrincipal[]
       The users, computers, groups or other accounts to add to the list of accounts allowed to
       replicate their passwords to this Read-only domain controller (RODC).
       Specify more than one value with a comma-separated list. 

       Identify each user, computer, or group, with one of the following property values:
          Distinguished name
              Example:  CN=MikeHsu,CN=employees,CN=Users,DC=SS64,DC=com
          GUID  (objectGUID) 
              Example:  989c3d2e-f72d-4d20-8a64-030d94795f20
          Security identifier (objectSid)
              Example:  S-1-5-21-4795297888-301567370-576410423-1103
          Security accounts manager (SAM) account name  (sAMAccountName)
              Example:  MikeHsu

   -Identity ADDomainController
       An Active Directory domain controller object
       This can be provided as one of the following values. (The identifier in parentheses is
       the LDAP display name for the attribute).
       Unless specified otherwise, these values are for the server object that
       represents the domain controller.

          GUID (objectGUID)
            Example: 768c44de-f72d-66e0-7a88-0363ca495f20 
          IPV4Address
            Example:157.59.162.61
          Global IPV6Address
            Example: 2401:6498:0:fff:600:5efe:157.59.132.61
          DNS Host Name (dNSHostName)
            Example: corp-DC01.corp.SS64.com
          Name of the server object
            Example: corp-DC01$
          Distinguished Name of the NTDS Settings object
            Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=Sites,CN=Configuration,DC=corp,DC=SS64,DC=co
         Distinguished Name of the server object that represents the domain controller
            Example: CN=CORP-DC12,CN=Servers,CN=Sites,CN=Configuration,DC=corp,DC=SS64,DC=com
          GUID of NTDS settings object under the configuration partition
            Example: 68adaf21-e28d-6012-bca8-320d93450ab0
          GUID of server object under the configuration partition
            Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
          Distinguished Name of the computer object that represents the domain controller.
            Example: CN=CORP-DC12,OU=Domain Controllers,DC=corp,DC=SS64,DC=com

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get an object through the pipeline or the parameter may be
       set to an object instance. 

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   -Confirm
       Prompt for confirmation before executing the command.

    -WhatIf
       Describe what would happen if you executed the command, without actually executing the command.

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

Add-ADDomainControllerPasswordReplicationPolicy adds one or more users, computers, and groups to the allowed or denied list of a read-only domain controller (RODC) password replication policy.

The -Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. Identify a domain controller by its GUID, IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object of the server object, the GUID of the NTDS settings object of the server object under the configuration partition, or the DN of the computer object that represents the domain controller. Alternatively set the -Identity parameter to a domain controller object variable, or pass an object through the PowerShell pipeline. e.g. using Get-ADDomainController. You must specify a read-only domain controller.

The -AllowedList parameter specifies the users, computers, and groups to add to the allowed list. Similarly, the -DeniedList parameter specifies the users, computers, and groups to add to the denied list. You must specify either one or both of -AllowedList and -DeniedList. To specify more than one user/group/computer, use a comma-separated list. If a specified user, computer, or group is not on the allowed or denied list, the cmdlet does not return an error.

Examples

Add user accounts to the Allowed list on a given RODC with the specified SamAccountNames:

PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -AllowedList "PeterFalk", "AliceLiddell"

Add user accounts to the Denied list on a given RODC with the specified SamAccountNames:

PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -DeniedList "PatrickMcGoohan", "Leslie Nielsen"

“It has beeen said that the love of money is the root of all evil. The want of money is so quite as truly” - Samuel Butler

Related:

Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies


© Copyright SS64.com 1999-2014
Some rights reserved