This is the built-in help made by Microsoft for the command 'Add-ADDomainControllerPasswordReplicationPolicy', in PowerShell version 5 - as retrieved from
Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.
Add-ADDomainControllerPasswordReplicationPolicy [[-Identity] <ADDomainController>] [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Server <String>]
-AllowedList <ADPrincipal[]> [-Confirm] [-WhatIf] [<CommonParameters>]
Add-ADDomainControllerPasswordReplicationPolicy [[-Identity] <ADDomainController>] [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Server <String>]
-DeniedList <ADPrincipal[]> [-Confirm] [-WhatIf] [<CommonParameters>]
The Add-ADDomainControllerPasswordReplicationPolicy cmdlet adds one or more users, computers, and groups to the allowed or denied list of a read-only domain controller
(RODC) password replication policy.
The Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. You can identify a domain controller by its GUID,
IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the
Distinguished Name (DN) of the NTDS settings object of the server object, the GUID of the NTDS settings object of the server object under the configuration partition, or the
DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as
$<localDomainControllerobject>, or pass a domain controller object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController cmdlet
to get a domain controller object and then pass the object through the pipeline to the Add-ADDomainControllerPasswordReplicationPolicy cmdlet. You must specify a read-only
domain controller. If you specify a writeable domain controller for this parameter, the cmdlet returns a non-terminating error.
The AllowedList parameter specifies the users, computers, and groups to add to the allowed list. Similarly, the DeniedList parameter specifies the users, computers, and
groups to add to the denied list. You must specify either one or both of the AllowedList and DeniedList parameters. You can identify a user, computer, or group by
distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify user, computer, or group variables, such as
$<localUserObject>. If you are specifying more than one item, use a comma-separated list. If a specified user, computer, or group is not on the allowed or denied list, the
cmdlet does not return an error.
<
Online Version: http://go.microsoft.com/fwlink/p/?linkid=291004
Get-ADDomainController
Get-ADDomainControllerPasswordReplicationPolicy
<
-------------------------- EXAMPLE 1 --------------------------
PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -AllowedList "JesperAaberg", "AdrianaAdams"
This command adds user accounts with the specified SamAccountNames to the Allowed list on the RODC specified by the Identity parameter.
-------------------------- EXAMPLE 2 --------------------------
PS C:\> Add-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -DeniedList "MichaelAllen", "ElizabethAndersen"
This command adds user accounts with the specified SamAccountNames to the Denied list on the RODC specified by the Identity parameter.