Remove users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy.
Syntax
Remove-ADDomainControllerPasswordReplicationPolicy -AllowedList ADPrincipal[]
[-Identity] ADDomainController [-AuthType {Negotiate | Basic}]
[-Credential PSCredential] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Remove-ADDomainControllerPasswordReplicationPolicy -DeniedList ADPrincipal[]
[-Identity] <ADDomainController> [-AuthType {Negotiate | Basic}]
[-Credential PSCredential] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-AllowedList ADPrincipal[]
Specify the users, computers, groups, or other accounts to remove from the list of
accounts allowed to replicate their passwords to this Read-only domain controller (RODC).
Specify more than one value by using a comma-separated list.
To identify each user, computer, or group, use one of the following property values:
Distinguished name
Example: CN=ScottHeron,CN=employees,CN=Users,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM account name (sAMAccountName)
Example: ScottHeron
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-DeniedList ADPrincipal[]
Specify the users, computers, groups, or other accounts denied to replicate
their passwords this Read-only domain controller (RODC).
Specify more than one value by using a comma-separated list.
To identify each user, computer, or group, use one of the following property values:
Distinguished name
Example: CN=ScottHeron,CN=employees,CN=Users,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM account name (sAMAccountName)
Example: ScottHeron
-Identity ADAccount
Specify an AD domain object by providing one of the following values.
(The identifier in parentheses is the LDAP provider name for the attribute.)
Distinguished Name
Example: DC=Helvetia,DC=corp,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
Security Identifier (objectSid)
Example: S-1-5-21-5165297888-301467370-576410423-1803
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: Helvetia
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this
parameter to an object instance.
-PassThru
Return the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
Remove-ADDomainControllerPasswordReplicationPolicy removes one or more users, computers and groups from the allowed or denied list of a read-only domain controller (RODC) password replication policy. The -AllowedList parameters specify the users, computers and groups to remove from the allowed list. Similarly, the -DeniedList parameter specifies the users, computers and groups to remove from the denied list.
Remove the users with samAccountNames 'JSmith' and'PJones' from the Allowed list on SS64RODC1:
PS C:\> Remove-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -AllowedList "JSmith", "PJones"
Remove the users with samAccountNames 'JSmith' and'PJones' from the Denied list on SS64RODC1:
PS C:\> Remove-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -DeniedList "JSmith", "PJones"
“Here’s a rule I recommend. Never practice two vices at once” ~ Tallulah Bankhead
Get-adDomainControllerPasswordReplicationPolicyUsage - Get the resultant password policy of an AD Account on the specified RODC.
Get-adDomainControllerPasswordReplicationPolicy - Get the members of the allowed/denied list of a RODC’s password replication policy.