Get the members of the allowed list or denied list of a read-only domain controller's password replication policy.
Syntax
Get-ADDomainControllerPasswordReplicationPolicy [-Allowed] [-Identity] ADDomainController
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-Server string] [CommonParameters]
Get-ADDomainControllerPasswordReplicationPolicy -Denied [-Identity] ADDomainController
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-Server string] [CommonParameters]
Key
-Allowed
Return the users, computers, and groups from the domain controller allowed list.
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-Denied
Return the users, computers, and groups from the domain controller denied list.
-Identity ADAccount
Specify an AD domain object by providing one of the following values.
(The identifier in parentheses is the LDAP display name for the attribute.)
Distinguished Name
Example: DC=Helvetia,DC=corp,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
Security Identifier (objectSid)
Example: S-1-5-21-5165297888-301467370-576410423-1803
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: Helvetia
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this
parameter to an object instance.
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
CommonParameters:
-Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
-OutBuffer -OutVariable.
Get-ADDomainControllerPasswordReplicationPolicy gets the users, computers, service accounts and groups that are members of the applied list or denied list for a read-only domain controller's (RODC) password replication policy.
The -Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy.
A domain controller may be identified by its GUID, IPV4Address, IPV6Address, DNS host name, the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server
object under the configuration partition, or the DN of the computer object that represents the domain controller.
The -Identity parameter may also be set to an object variable or passed through the pipeline. e.g. from Get-ADDomainController.
If you specify a writeable Domain Controller for this cmdlet, the cmdlet returns a non-terminating error.
Examples
Get from an RODC domain controller password replication policy the allowed accounts showing the name and object class of each:
PS C:\> Get-ADDomainControllerPasswordReplicationPolicy -Identity "SS64RODC1" -Allowed | ft Name,ObjectClass
Get the password replcation policy allowed lists from all RODCs in the domain:
PS C:\> Get-ADDomainController -Filter {IsReadOnly -eq $true} | Get-ADDomainControllerPasswordReplicationPolicy -Allowed
“Bliss was it in that dawn to be alive, But to be young was very heaven!” ~ Wordsworth
Related PowerShell Cmdlets:
Remove-adDomainControllerPasswordReplicationPolicy - RODC PRP Allowed/Denied List.
Get-adDomainControllerPasswordReplicationPolicyUsage - Get the resultant password policy of an ADAccount on the specified RODC.