Remove-ADDomainControllerPasswordReplicationPolicy

Remove users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy.

Syntax
      Remove-ADDomainControllerPasswordReplicationPolicy -AllowedList ADPrincipal[]
         [-Identity] ADDomainController [-AuthType {Negotiate | Basic}]
            [-Credential PSCredential] [-PassThru] [-Server string]
               [-Confirm] [-WhatIf] [CommonParameters]

      Remove-ADDomainControllerPasswordReplicationPolicy -DeniedList ADPrincipal[]
         [-Identity] <ADDomainController> [-AuthType {Negotiate | Basic}]
            [-Credential PSCredential] [-PassThru] [-Server string]
               [-Confirm] [-WhatIf] [CommonParameters]

Key
   -AllowedList ADPrincipal[]
       Specify the users, computers, groups, or other accounts to remove from the list of 
       accounts allowed to replicate their passwords to this Read-only domain controller (RODC).
       Specify more than one value by using a comma-separated list.
       To identify each user, computer, or group, use one of the following property values:
          Distinguished name
              Example:  CN=ScottHeron,CN=employees,CN=Users,DC=SS64,DC=com
          GUID  (objectGUID)
              Example:  599c3d2e-f72d-4d20-8a88-030d99495f20
          Security identifier (objectSid)
              Example:  S-1-5-21-3165297888-301567370-576410423-1103
          SAM account name (sAMAccountName)
              Example:  ScottHeron

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -DeniedList ADPrincipal[]
       Specify the users, computers, groups, or other accounts denied to replicate
       their passwords this Read-only domain controller (RODC).
       Specify more than one value by using a comma-separated list.
       To identify each user, computer, or group, use one of the following property values:
          Distinguished name
              Example:  CN=ScottHeron,CN=employees,CN=Users,DC=SS64,DC=com
          GUID  (objectGUID)
              Example:  599c3d2e-f72d-4d20-8a88-030d99495f20
          Security identifier (objectSid)
              Example:  S-1-5-21-3165297888-301567370-576410423-1103
          SAM account name (sAMAccountName)
              Example:  ScottHeron

   -Identity ADAccount
       Specify an AD domain object by providing one of the following values.
       (The identifier in parentheses is the LDAP display name for the attribute.)

          Distinguished Name 
            Example: DC=Helvetia,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: Helvetia

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -PassThru
       Return the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   -Confirm
       Prompt for confirmation before executing the command.

   -WhatIf
       Describe what would happen if you executed the command, without actually executing the command.

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

Remove-ADDomainControllerPasswordReplicationPolicy removes one or more users, computers and groups from the allowed or denied list of a read-only domain controller (RODC) password replication policy. The -AllowedList parameters specify the users, computers and groups to remove from the allowed list. Similarly, the -DeniedList parameter specifies the users, computers and groups to remove from the denied list.

Examples

Remove the users with samAccountNames 'JSmith' and'PJones' from the Allowed list on SS64RODC1:

PS C:\> Remove-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -AllowedList "JSmith", "PJones"

Remove the users with samAccountNames 'JSmith' and'PJones' from the Denied list on SS64RODC1:

PS C:\> Remove-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -DeniedList "JSmith", "PJones"

“Here’s a rule I recommend. Never practice two vices at once” ~ Tallulah Bankhead

Related:

Get-adDomainControllerPasswordReplicationPolicyUsage - Get the resultant password policy of the specified AD Account on the specified RODC.
Get-adDomainControllerPasswordReplicationPolicy - Get the members of the allowed list or denied list of a RODC's password replication policy.


© Copyright SS64.com 1999-2013
Some rights reserved