Synopsis
Description
Commonly used attributes of the object can be specified by the parameters of this cmdlet. To set attributes for the object that are not represented by the parameters of this cmdlet, specify the OtherAttributes parameter.
You can use the pipeline operator and the Import-Csv cmdlet to pass a list for bulk creation of objects in the directory. You can also specify a template object by using the Instance parameter to create objects from a template.
Parameters
-AuthType
Specifies the authentication method to use. The acceptable values for this parameter are:
--Negotiate or 0
--Basic or 1
Required? false
Position? named
Default value Microsoft.ActiveDirectory.Management.AuthType.Negotiate
Accept pipeline input? false
Accept wildcard characters? false
-ComputerAllowedToAuthenticateTo <String>
Specifies the security descriptor definition language (SDDL) string of the security descriptor used to determine if the computer can authenticate to this account.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ComputerTGTLifetimeMins <Int32>
Specifies the lifetime in minutes for non-renewable ticket granting tickets (TGTs) for computer accounts.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Description <String>
Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Enforce <SwitchParameter>
Indicates that the authentication policy is enforced.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Instance <ADAuthenticationPolicy>
Specifies an instance of an ADAuthenticationPolicy object to use as a template for a new ADAuthenticationPolicy object. To get the ADAuthenticationPolicy object to use as a template, use the Get-ADAuthenticationPolicy cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Name <String>
Specifies the name of the object. This parameter sets the Name property of the Active Directory Domain Services object. The LDAP Display Name (ldapDisplayName) of this property is "name".
Required? true
Position? 1
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-OtherAttributes <Hashtable>
Specifies a list of object attribute values for attributes that are not represented by other parameters. You can set one or more attributes at the same time with this parameter, and if an attribute takes more than one value you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory Domain Services schema.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PassThru <SwitchParameter>
Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ProtectedFromAccidentalDeletion <Boolean>
Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are:
--$False or 0
--$True or 1
Required? false
Position? named
Default value $true
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Server <String>
Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ServiceAllowedToAuthenticateFrom <String>
Specifies an access control expression used to determine from which devices the service can authenticate.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServiceAllowedToAuthenticateTo <String>
Specifies the SDDL string of the security descriptor used to determine if the service can authenticate to this account.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServiceTGTLifetimeMins <Int32>
Specifies the lifetime in minutes for non-renewable TGTs for service accounts.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-UserAllowedToAuthenticateFrom <String>
Specifies an access control expression used to determine from which devices the users can authenticate.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-UserAllowedToAuthenticateTo <String>
Specifies the SDDL string of the security descriptor used to determine if the users can authenticate to this account.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-UserTGTLifetimeMins <Int32>
Specifies the lifetime in minutes for non-renewable TGTs for user accounts.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm <SwitchParameter>
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf <SwitchParameter>
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
Syntax
New-ADAuthenticationPolicy [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-ComputerAllowedToAuthenticateTo <String>] [-ComputerTGTLifetimeMins <Int32>] [-Credential <PSCredential>] [-Description <String>] [-Enforce] [-Instance <ADAuthenticationPolicy>] [-Name] <String> [-OtherAttributes <Hashtable>] [-PassThru] [-ProtectedFromAccidentalDeletion <Boolean>] [-RollingNTLMSecret <ADStrongNTLMPolicyType>] [-Server <String>] [-ServiceAllowedToAuthenticateFrom <String>] [-ServiceAllowedToAuthenticateTo <String>] [-ServiceAllowedNTLMNetworkAuthentication] [-ServiceTGTLifetimeMins <Int32>] [-UserAllowedToAuthenticateFrom <String>] [-UserAllowedToAuthenticateTo <String>] [-UserAllowedNTLMNetworkAuthentication] [-UserTGTLifetimeMins <Int32>] [<CommonParameters>]
Create an authentication policy with a user TGT lifetime
PS C:> New-ADAuthenticationPolicy AuthPolicy01 -UserTGTLifetimeMins 60
This command creates an authentication policy object named AuthPolicy01 and sets the TGT lifetime for a user account to 60 minutes. Because the Enforce parameter is not specified, the authentication policy created is in audit mode.
Create an enforced authentication policy
PS C:> New-ADAuthenticationPolicy AuthPolicy02 -Enforce
This command creates an authentication policy named AuthPolicy02 and enforces it by specifying the Enforce parameter.
PS C:> New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Get-Acl .\auth.txt).sddl
This command creates an authentication policy named TestAuthenticationPolicy. The UserAllowedToAuthenticationFrom parameter specifies the devices from which users are allowed to authenticate by an SDDL string in the file named auth.txt
Get-Command New-ADAuthenticationPolicy
. Get-ADAuthenticationPolicy
. Remove-ADAuthenticationPolicy
. Set-ADAuthenticationPolicy