PowerShell Logo Small

Remove-ADDomainControllerPasswordReplicationPolicy



This is the built-in help made by Microsoft for the command 'Remove-ADDomainControllerPasswordReplicationPolicy', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Removes users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy.

SYNTAX


Remove-ADDomainControllerPasswordReplicationPolicy [-Identity] <ADDomainController> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-PassThru] [-Server
<String>] -AllowedList <ADPrincipal[]> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-ADDomainControllerPasswordReplicationPolicy [-Identity] <ADDomainController> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-PassThru] [-Server
<String>] -DeniedList <ADPrincipal[]> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Remove-ADDomainControllerPasswordReplicationPolicy cmdlet removes one or more users, computers and groups from the allowed or denied list of a read-only domain
controller (RODC) password replication policy.


The Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. You can identify a domain controller by its GUID,
IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the
Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server object under the configuration partition, or the
DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as
$<localDomainControllerobject>, or pass a domain controller object through the pipeline operator to the Identity parameter. For example, you can use the
Get-ADDomainController cmdlet to retrieve a domain controller object and then pass the object through the pipeline operator to the
Remove-ADDomainControllerPasswordReplicationPolicy cmdlet. You must provide a read-only domain controller.


The AllowedList parameters specify the users, computers and groups to remove from the allowed list. Similarly, the DeniedList parameter specifies the users, computers and
groups to remove from the denied list. You must specify either one or both of the AllowedList and DeniedList parameters. You can identify a user, computer or group by
distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also specify user, computer or group variables, such as
$<localUserObject>. If you are specifying more than one item, use a comma-separated list.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=291085
Add-ADDomainControllerPasswordReplicationPolicy
Get-ADDomainController
Get-ADDomainControllerPasswordReplicationPolicy

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

PS C:\> Remove-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -AllowedList "JesperAaberg", "AdrianaAdams"



This command removes the users with samAccountNames JesperAaberg and AdrianaAdams from the Allowed list on the RODC FABRIKAM-RODC1.




-------------------------- EXAMPLE 2 --------------------------

PS C:\> Remove-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -DeniedList "MichaelAllen", "ElizabethAndersen"



This command removes the users with samAccountNames MichaelAllen and ElizabethAndersen from the Denied list on the RODC FABRIKAM-RODC1.