PowerShell Logo Small

Add-ADDomainControllerPasswordReplicationPolicy



This is the built-in help made by Microsoft for the command 'Add-ADDomainControllerPasswordReplicationPolicy', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.

SYNTAX


Add-ADDomainControllerPasswordReplicationPolicy [[-Identity] <ADDomainController>] [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Server <String>]
-AllowedList <ADPrincipal[]> [-Confirm] [-WhatIf] [<CommonParameters>]
Add-ADDomainControllerPasswordReplicationPolicy [[-Identity] <ADDomainController>] [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Server <String>]
-DeniedList <ADPrincipal[]> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Add-ADDomainControllerPasswordReplicationPolicy cmdlet adds one or more users, computers, and groups to the allowed or denied list of a read-only domain controller
(RODC) password replication policy.


The Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. You can identify a domain controller by its GUID,
IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the
Distinguished Name (DN) of the NTDS settings object of the server object, the GUID of the NTDS settings object of the server object under the configuration partition, or the
DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as
$<localDomainControllerobject>, or pass a domain controller object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController cmdlet
to get a domain controller object and then pass the object through the pipeline to the Add-ADDomainControllerPasswordReplicationPolicy cmdlet. You must specify a read-only
domain controller. If you specify a writeable domain controller for this parameter, the cmdlet returns a non-terminating error.


The AllowedList parameter specifies the users, computers, and groups to add to the allowed list. Similarly, the DeniedList parameter specifies the users, computers, and
groups to add to the denied list. You must specify either one or both of the AllowedList and DeniedList parameters. You can identify a user, computer, or group by
distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify user, computer, or group variables, such as
$<localUserObject>. If you are specifying more than one item, use a comma-separated list. If a specified user, computer, or group is not on the allowed or denied list, the
cmdlet does not return an error.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=291004
Get-ADDomainController
Get-ADDomainControllerPasswordReplicationPolicy

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -AllowedList "JesperAaberg", "AdrianaAdams"



This command adds user accounts with the specified SamAccountNames to the Allowed list on the RODC specified by the Identity parameter.




-------------------------- EXAMPLE 2 --------------------------

PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -DeniedList "MichaelAllen", "ElizabethAndersen"



This command adds user accounts with the specified SamAccountNames to the Denied list on the RODC specified by the Identity parameter.