Remove one or more users from a fine grained password policy.

      Remove-ADFineGrainedPasswordPolicySubject [-Identity] ADFineGrainedPasswordPolicy
         [-Subjects] ADPrincipal[] [-AuthType {Negotiate | Basic}]
            [-Credential PSCredential] [-Partition string] [-PassThru]
               [-Server string] [-Confirm] [-WhatIf] [CommonParameters]

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Identity ADFineGrainedPasswordPolicy
       Specify an AD fine-grained password policy object by providing one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: b7fa5896-7461-476c-a489-a2a839abcd5f
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: PasswordPolicyLevel1

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -Partition string
       The distinguished name of an AD partition.
       The distinguished name must be one of the naming contexts on the current
       directory server. The cmdlet searches this partition to find the object defined by
       the -Identity parameter. 
       The following two examples show how to specify a value for this parameter.
          -Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
          -Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
       In many cases, a default value will be used for the Partition parameter if no value
       is specified.

       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples:  demo

   -Subjects ADPrincipal[]
       One or more users or groups by providing one of the following property values.
       To specify more than one user or group, use a comma-separated list.
          Distinguished Name (DN)
            Example: CN=MikeHsu,CN=Users,DC=corp,DC=SS64,DC=com
          GUID (objectGUID)
            Example: b7fa5896-7461-476c-a489-a2a839abcd5f
          Security Identifier (objectSid)
            Example: S-1-5-21-3165297868-301267370-276410423-1103
          SAM Account Name (sAMAccountName)
            Example: MikeHsu

        The identifier in (parentheses) is the LDAP provider name.
        You can also provide objects to this parameter directly.

Remove-ADFineGrainedPasswordPolicySubject removes one or more global security groups and users from a fine grained password policy.

The -Identity parameter specifies the Fine-Grained Password Policy, identified by its distinguished name or GUID. The -Identity parameter may also be set to a Fine-Grained Password Policy object variable, or passed through the PowerShell pipeline. For example, using Get-ADFineGrainedPasswordPolicy.

The -Subjects parameter specifies the users and groups to remove from the password policy. The user or group may be identified by its distinguished name (DN), GUID, security identifier (SID), security accounts manager (SAM) account name, or canonical name. Alternatively specify a User or group object variable, to specify more than one, use a comma-separated list.


Remove the Fine-Grained Password Policy named 'SS64PasswordSettings' from two users, with SamAccountNames 'xiaoping' and 'MikeHsu':

PS C:\> Remove-ADFineGrainedPasswordPolicySubject SS64PasswordSettings -Subjects xiaoping,MikeHsu

Remove any subjects that have names ending with 'Ballmer' from the name list on which the Fine-Grained Password Policy named 'SS64PasswordSettings' applies:

PS C:\> Get-ADFineGrainedPasswordPolicySubject SS64PasswordSettings | where {$_.Name -like "*Ballmer"} | Remove-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO

“Any person who selects a goal in life which can be fully achieved, has already defined his own limitations” ~ Cavett Robert

Related PowerShell Cmdlets

Add-adFineGrainedPasswordPolicySubject - Apply a fine-grained password policy to one more users and groups.
- Get the users and groups to which a fine-grained policy is applied.

Copyright © 1999-2023
Some rights reserved