Get-ADomainControllerPasswordReplicationPolicyUsage

Get the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.

Syntax
      Get-ADDomainControllerPasswordReplicationPolicyUsage [-Identity] ADDomainController
         -AuthenticatedAccounts [-AuthType {Negotiate | Basic}]
           [-Credential PSCredential] [-RevealedAccounts]
              [-Server string] [CommonParameters]

Key
   -AuthenticatedAccounts
       Search for accounts that have been authenticated by a read-only domain controller.
 
   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Identity ADAccount
       Specify an AD domain object by providing one of the following values.
       (The identifier in parentheses is the LDAP display name for the attribute.)

          Distinguished Name 
            Example: DC=Helvetia,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: Helvetia

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -RevealedAccounts
       Search for accounts which have passwords stored on the read-only domain controller.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.

The -Identity parameter specifies the RODC, you can use the Get-ADDomainController cmdlet to retrieve a domain controller object and then pass the object through the pipeline to Get-ADDomainControllerPasswordReplicationPolicyUsage

Examples

Get the authenticated accounts for a given RODC showing the name and object class of each:

PS C:\> Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "SS64RODC1" -AuthenticatedAccounts | format-table Name,ObjectClass -A

Get the revealed accounts for a given RODC showing the name and object class of each:

PS C:\> Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "SS64RODC1" -RevealedAccounts | format-table Name,ObjectClass -A

“Bliss was it in that dawn to be alive, But to be young was very heaven!” ~ Wordsworth

Related:

Get-adDomainControllerPasswordReplicationPolicy - RODC PRP Allowed/Denied List.
Remove-adDomainControllerPasswordReplicationPolicy
- RODC PRP Allowed/Denied List.


© Copyright SS64.com 1999-2013
Some rights reserved