Get the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.
Syntax
Get-ADDomainControllerPasswordReplicationPolicyUsage [-Identity] ADDomainController
-AuthenticatedAccounts [-AuthType {Negotiate | Basic}]
[-Credential PSCredential] [-RevealedAccounts]
[-Server string] [CommonParameters]
Key
-AuthenticatedAccounts
Search for accounts that have been authenticated by a read-only domain controller.
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-Identity ADAccount
Specify an AD domain object by providing one of the following values.
(The identifier in parentheses is the LDAP provider name for the attribute.)
Distinguished Name
Example: DC=Helvetia,DC=corp,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
Security Identifier (objectSid)
Example: S-1-5-21-5165297888-301467370-576410423-1803
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: Helvetia
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this
parameter to an object instance.
-RevealedAccounts
Search for accounts which have passwords stored on the read-only domain controller.
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.
The -Identity parameter specifies the RODC, you can use the Get-ADDomainController cmdlet to retrieve a domain controller object and then pass the object through the pipeline to Get-ADDomainControllerPasswordReplicationPolicyUsage
Get the authenticated accounts for a given RODC showing the name and object class of each:
PS C:\> Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "SS64RODC1" -AuthenticatedAccounts | Format-Table Name,ObjectClass -A
Get the revealed accounts for a given RODC showing the name and object class of each:
PS C:\> Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "SS64RODC1" -RevealedAccounts | Format-Table Name,ObjectClass -A
“Bliss was it in that dawn to be alive, But to be young was very heaven!” ~ Wordsworth
Get-adDomainControllerPasswordReplicationPolicy - RODC PRP Allowed/Denied List.
Remove-adDomainControllerPasswordReplicationPolicy - RODC PRP Allowed/Denied List.