Get-ADomainControllerPasswordReplicationPolicy

Get the members of the allowed list or denied list of a read-only domain controller's password replication policy.

Syntax
      Get-ADDomainControllerPasswordReplicationPolicy [-Allowed] [-Identity] ADDomainController 
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
            [-Server string] [CommonParameters]

      Get-ADDomainControllerPasswordReplicationPolicy -Denied [-Identity] ADDomainController
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
            [-Server string] [CommonParameters]

Key
   -Allowed
       Return the users, computers, and groups from the domain controller allowed list.
 
   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Denied
       Return the users, computers, and groups from the domain controller denied list.

   -Identity ADAccount
       Specify an AD domain object by providing one of the following values.
       (The identifier in parentheses is the LDAP display name for the attribute.)

          Distinguished Name 
            Example: DC=Helvetia,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: Helvetia

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

Get-ADDomainControllerPasswordReplicationPolicy gets the users, computers, service accounts and groups that are members of the applied list or denied list for a read-only domain controller's (RODC) password replication policy.

The -Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy.

A domain controller may be identified by its GUID, IPV4Address, IPV6Address, DNS host name, the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server object under the configuration partition, or the DN of the computer object that represents the domain controller.

The -Identity parameter may also be set to an object variable or passed through the pipeline. e.g. from Get-ADDomainController.

If you specify a writeable Domain Controller for this cmdlet, the cmdlet returns a non-terminating error.

Examples

Get from an RODC domain controller password replication policy the allowed accounts showing the name and object class of each:

PS C:\> Get-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -Allowed | ft Name,ObjectClass

Get the password replcation policy allowed lists from all RODCs in the domain:

PS C:\> Get-ADDomainController -Filter {IsReadOnly -eq $true} | Get-ADDomainControllerPasswordReplicationPolicy -Allowed

“Bliss was it in that dawn to be alive, But to be young was very heaven!” ~ Wordsworth

Related:

Remove-adDomainControllerPasswordReplicationPolicy - RODC PRP Allowed/Denied List.
Get-adDomainControllerPasswordReplicationPolicyUsage - Get the resultant password policy of the specified ADAccount on the specified RODC.


© Copyright SS64.com 1999-2014
Some rights reserved