New-ADAuthenticationPolicy

by Posted on

New-ADAuthenticationPolicy is accessible with the help of addsadministration module. To install addsadministration on your system please refer to this link.

Synopsis

Creates an Active Directory Domain Services authentication policy object.

Description

The New-ADAuthenticationPolicy creates an authentication policy object in Active Directory Domain Services.

Commonly used attributes of the object can be specified by the parameters of this cmdlet. To set attributes for the object that are not represented by the parameters of this cmdlet, specify the OtherAttributes parameter.

You can use the pipeline operator and the Import-Csv cmdlet to pass a list for bulk creation of objects in the directory. You can also specify a template object by using the Instance parameter to create objects from a template.

Parameters 

 -AuthType 
         Specifies the authentication method to use. The acceptable values for this parameter are:
    --Negotiate or 0
    --Basic or 1

    Required?                    false
    Position?                    named
    Default value                Microsoft.ActiveDirectory.Management.AuthType.Negotiate
    Accept pipeline input?       false
    Accept wildcard characters?  false

-ComputerAllowedToAuthenticateTo <String>
    Specifies the security descriptor definition language (SDDL) string of the security descriptor used to determine if the computer can authenticate to this account.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-ComputerTGTLifetimeMins <Int32>
    Specifies the lifetime in minutes for non-renewable ticket granting tickets (TGTs) for computer accounts.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-Credential <PSCredential>
    Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       false
    Accept wildcard characters?  false

-Description <String>
    Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-Enforce <SwitchParameter>
    Indicates that the authentication policy is enforced.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-Instance <ADAuthenticationPolicy>
    Specifies an instance of an ADAuthenticationPolicy object to use as a template for a new ADAuthenticationPolicy object. To get the ADAuthenticationPolicy object to use as a template, use the Get-ADAuthenticationPolicy cmdlet.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       false
    Accept wildcard characters?  false

-Name <String>
    Specifies the name of the object. This parameter sets the Name property of the Active Directory Domain Services object. The LDAP Display Name (ldapDisplayName) of this property is "name".

    Required?                    true
    Position?                    1
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-OtherAttributes <Hashtable>
    Specifies a list of object attribute values for attributes that are not represented by other parameters. You can set one or more attributes at the same time with this parameter, and if an attribute takes more than one value you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory Domain Services schema.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       false
    Accept wildcard characters?  false

-PassThru <SwitchParameter>
    Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       false
    Accept wildcard characters?  false

-ProtectedFromAccidentalDeletion <Boolean>
    Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are:&nbsp;

    --$False or 0
    --$True or 1

    Required?                    false
    Position?                    named
    Default value                $true
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-Server <String>
    Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following:  Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       false
    Accept wildcard characters?  false

-ServiceAllowedToAuthenticateFrom <String>
    Specifies an access control expression used to determine from which devices the service can authenticate.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-ServiceAllowedToAuthenticateTo <String>
    Specifies the SDDL string of the security descriptor used to determine if the service can authenticate to this account.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-ServiceTGTLifetimeMins <Int32>
    Specifies the lifetime in minutes for non-renewable TGTs for service accounts.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-UserAllowedToAuthenticateFrom <String>
    Specifies an access control expression used to determine from which devices the users can authenticate.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-UserAllowedToAuthenticateTo <String>
    Specifies the SDDL string of the security descriptor used to determine if the users can authenticate to this account.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-UserTGTLifetimeMins <Int32>
    Specifies the lifetime in minutes for non-renewable TGTs for user accounts.

    Required?                    false
    Position?                    named
    Default value                
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

-Confirm <SwitchParameter>
    Prompts you for confirmation before running the cmdlet.

    Required?                    false
    Position?                    named
    Default value                false
    Accept pipeline input?       false
    Accept wildcard characters?  false

-WhatIf <SwitchParameter>
    Shows what would happen if the cmdlet runs. The cmdlet is not run.

    Required?                    false
    Position?                    named
    Default value                false
    Accept pipeline input?       false
    Accept wildcard characters?  false

Syntax

New-ADAuthenticationPolicy [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-ComputerAllowedToAuthenticateTo <String>] [-ComputerTGTLifetimeMins <Int32>] [-Credential <PSCredential>] [-Description <String>] [-Enforce] [-Instance <ADAuthenticationPolicy>] [-Name] <String> [-OtherAttributes <Hashtable>] [-PassThru] [-ProtectedFromAccidentalDeletion <Boolean>] [-RollingNTLMSecret <ADStrongNTLMPolicyType>] [-Server <String>] [-ServiceAllowedToAuthenticateFrom <String>] [-ServiceAllowedToAuthenticateTo <String>] [-ServiceAllowedNTLMNetworkAuthentication] [-ServiceTGTLifetimeMins <Int32>] [-UserAllowedToAuthenticateFrom <String>] [-UserAllowedToAuthenticateTo <String>] [-UserAllowedNTLMNetworkAuthentication] [-UserTGTLifetimeMins <Int32>] [<CommonParameters>]

————————– EXAMPLE 1 ————————–
Create an authentication policy with a user TGT lifetime
PS C:> New-ADAuthenticationPolicy AuthPolicy01 -UserTGTLifetimeMins 60
This command creates an authentication policy object named AuthPolicy01 and sets the TGT lifetime for a user account to 60 minutes. Because the Enforce parameter is not specified, the authentication policy created is in audit mode.

————————– EXAMPLE 2 ————————–
Create an enforced authentication policy
PS C:> New-ADAuthenticationPolicy AuthPolicy02 -Enforce
This command creates an authentication policy named AuthPolicy02 and enforces it by specifying the Enforce parameter.

————————– EXAMPLE 3 ————————–
PS C:> New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Get-Acl .\auth.txt).sddl
This command creates an authentication policy named TestAuthenticationPolicy. The UserAllowedToAuthenticationFrom parameter specifies the devices from which users are allowed to authenticate by an SDDL string in the file named auth.txt

You can check the Version, CommandType and Source of this cmdlet by giving below command.

Get-Command New-ADAuthenticationPolicy
Get-Command New-ADAuthenticationPolicy Powershell script command cmdlet

You can also read about
. Get-ADAuthenticationPolicy
. Remove-ADAuthenticationPolicy
. Set-ADAuthenticationPolicy

To know more PowerShell cmdlets(Commands) on addsadministration (Active Directory) click here

Click on this Link for an Single place where you get all the PowerShell cmdlet sorted based on the modules.

You can also refer other blogs on PowerShell at link

You can also refer other blogs on Microsoft at link

And also if you required any technology you want to learn, let us know below we will publish them in our site http://tossolution.com/

Like our page in Facebook and follow us for New technical information.

References are taken from Microsoft

Published by Karthik S

Lead DevOps | Windows | AWS | Azure | Docker | Kubernetes | Jenkins

Leave a Reply

Your email address will not be published. Required fields are marked *