New-ADClaimType
Synopsis
Description
Parameters
-AppliesToClasses
This parameter is used to specify the security principal classes to which this claim applies. Possible values for this parameter include the following (or any Active Directory type that derives from these base types):
Required? false
Position? named
Default value Depending on SourceAttribute / SourceOID, the value is set to User / Computer respectively
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AuthType <ADAuthType>
Specifies the authentication method to use. Possible values for this parameter include:
Required? false
Position? named
Default value Microsoft.ActiveDirectory.Management.AuthType.Negotiate
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Description <String>
Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DisplayName <String>
Specifies the display name of the claim type, which must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type.
Required? true
Position? 1
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Enabled <Boolean>
Specifies if the claim type is enabled.
Required? false
Position? named
Default value True
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ID <String>
Specifies the claim type ID. This is an optional parameter. By default, New-ADClaimType generates the ID automatically.
Required? false
Position? named
Default value Auto-generated
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Instance <ADClaimType>
Specifies an instance of an claim type object to use as a template for a new claim type object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IsSingleValued <Boolean>
Specifies whether the claim type is single valued or multi-valued.
Required? false
Position? named
Default value True
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-OtherAttributes <Hashtable>
Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PassThru <SwitchParameter>
Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ProtectedFromAccidentalDeletion <Boolean>
Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include:
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RestrictValues <Boolean>
This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues.
Required? false
Position? named
Default value True
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Server <String>
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-SourceAttribute <String>
Specifies an Active Directory attribute from which this claim type is based, and from which the claim value is obtained. The input must be the distinguished name (DN), Name, or GUID of the attribute definition in the schema.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SourceOID <String>
Can be used to configure a certificate-based claim type source. For example, use this parameter to create certificate-based claim types when you want to use smartcard logon claims for authorization decisions. The SourceOID parameter uses the string representation of an object identifier (OID) from the issuance policy found in the certificate and on the certificate template when using Active Directory Certificate Services. An example of an OID is "1.3.6.1.4.1.311.47.2.5".
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SourceTransformPolicy <SwitchParameter>
Indicates that the claim type is sourced from the claims transformation policy engine.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SuggestedValues <ADSuggestedValueEntry[]>
Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When the RestrictValues switch is set (to a value of True), the application should limit the user to selecting values from this list only.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ValueType <ADClaimValueType>
Specifies the value type for this claim type. Below is a list of the valid value types:
- Int64
- UInt64
- String
- FQBN
- SID
- Boolean
- OctetString
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm <SwitchParameter>
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf <SwitchParameter>
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
Syntax
New-ADClaimType [-WhatIf] [-Confirm] [-AppliesToClasses <String[]>] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName] <String> [-Enabled <Boolean>] [-ID <String>] [-Instance <ADClaimType>] [-IsSingleValued <Boolean>] [-OtherAttributes <Hashtable>] [-PassThru] [-ProtectedFromAccidentalDeletion <Boolean>] [-RestrictValues <Boolean>] [-Server <String>] -SourceAttribute <String> [-SuggestedValues <ADSuggestedValueEntry[]>] [<CommonParameters>]
New-ADClaimType [-WhatIf] [-Confirm] [-AppliesToClasses <String[]>] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName] <String> [-Enabled <Boolean>] [-ID <String>] [-Instance <ADClaimType>] [-IsSingleValued <Boolean>] [-OtherAttributes <Hashtable>] [-PassThru] [-ProtectedFromAccidentalDeletion <Boolean>] [-RestrictValues <Boolean>] [-Server <String>] -SourceOID <String> [<CommonParameters>]
New-ADClaimType [-WhatIf] [-Confirm] [-AppliesToClasses <String[]>] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName] <String> [-Enabled <Boolean>] [-ID <String>] [-Instance <ADClaimType>] [-IsSingleValued <Boolean>] [-OtherAttributes <Hashtable>] [-PassThru] [-ProtectedFromAccidentalDeletion <Boolean>] [-RestrictValues <Boolean>] [-Server <String>] [-SourceTransformPolicy] [-SuggestedValues <ADSuggestedValueEntry[]>] -ValueType <ADClaimValueType> [<CommonParameters>]
This cmdlet does not work with an Active Directory Snapshot.
C:\PS>New- ADClaimType Title -SourceAttribute title
Create a new user claim type with display name ‘Title’ that is sourced from the AD attribute ‘title’.
C:\PS>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry(“FTE”, “Full-Time”, “Full-time employee”);
$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry(“Intern”, “Intern”, “Student employee”);
$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry(“Contractor”, “Contractor”, “Contract employee”);
New- ADClaimType “Employee Type” -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor
Create a new user claim type with display name ‘Employee Type’ that is sourced from the AD attribute ’employeeType’. The suggested values are set to ‘FTE’, ‘Intern’, and ‘Contractor’. Applications using this claim type would allow their users to specify one of the suggested values as this claim type’s value.
C:\PS>New- ADClaimType “Bitlocker Enabled” -SourceOID “1.3.6.1.4.1.121.67.1.1” -Enabled $FALSE
Create a new device claim type with display name ‘Bitlocker Enabled’ with the source OID ‘1.3.6.1.4.1.121.67.1.1’. The claim type set to disabled.
PS C:>New- ADClaimType Title -SourceAttribute title -ID “ad://ext/title1”
Create a new user claim type with display name ‘Title’ that is sourced from the AD attribute ‘title’ and ID set to ‘ad://ext/title1’.
The ID should only be set manually in a multi-forest environment where the same claim type needs to work across forests. By default, New-ADClaimType generates the ID automatically. For claim types to be considered identical across forests, their ID must be the same.
PS C:>New- ADClaimType SourceForest -SourceTransformPolicy -ValueType String
Create a new claim type with display name ‘SourceForest’ that is sourced from the claims transformation policy engine.
Get-Command New-ADClaimType