Adds mapping of SIDs from untrusted forest to SID from PDS forest.
Add-AdmPwdPdsSidMapping [-Pds] <PdsEndpoint> [-PrimarySid] <SecurityIdentifier> [-MappedSid] <SecurityIdentifier> [[-Description] <String>] [<CommonParameters>]
Add-AdmPwdPdsSidMapping [-PdsName] <String> [-PrimarySid] <SecurityIdentifier> [-MappedSid] <SecurityIdentifier> [[-Description] <String>] [<CommonParameters>]
PDS supports management of untrusted forests. However, for management of untrusted forests, the following prerequisites must be configured:
- Explicit credentials for PDS to use when accessing intrusted forest
- Mapping of SID from untrusted forest to SIDs from PDS forests.
SID mappings are used for access control - User who wants to read or reset password must have his/her own SID (own SID or SID of group he/she is member of) 'paired' with SID that has been delegated the permission for password read/reset in untrusted forest. SID mapping is used to establish this pairing of SIDs.
For management of untrusted forest connection credentials, see command Add-AdmPwdPdsSupportedForest
# bring Primary SID from untrusted forest $primarySid=New-Object System.Security.Principal.SecurityIdentifier('S-1-5-21-418581132-3576222476-795453013-1653') # Construct mapped SID from PDS forest $mappedUser=New-Object System.Security.Principal.NTAccount('MyDomain\MyUser') $mappedSid=$mappedUser.Translate([System.Security.Principal.SecurityIdentifier]) # Configure mapping on all PDS instances Get-AdmPwdPds | Add-AdmPwdPdsSidMapping -PrimarySid $primarySid -MappedSid $mappedSid -Description 'Mapped SID from untrusted managed forest'
Gets list of all PDS instances discovered and adds definition SID mapping.
Instance of PDS as returned by Get-AdmPwdPds command
Type: PdsEndpoint Parameter Sets: Pds Aliases: Required: True Position: 0 Default value: None Accept pipeline input: True (ByValue) Accept wildcard characters: False
Name of instance of PDS - DNS name of machine hosting PDS service
Type: String Parameter Sets: PdsName Aliases: Required: True Position: 0 Default value: None Accept pipeline input: True (ByValue) Accept wildcard characters: False
Sid from untrusted forest. This is SID of principal that is delegated permission to read/reset password in untrusted forest.
Type: SecurityIdentifier Parameter Sets: (All) Aliases: Required: True Position: 1 Default value: None Accept pipeline input: False Accept wildcard characters: False
Sid of principal from PDS forest that is paired to primary SID when PDS performs access checks. Requestor of password read/reset operation must have this SID in his security token so as it's mapped to Primary SID.
Type: SecurityIdentifier Parameter Sets: (All) Aliases: Required: True Position: 2 Default value: None Accept pipeline input: False Accept wildcard characters: False
Description of SID mapping being added.
Type: String Parameter Sets: (All) Aliases: Required: False Position: 3 Default value: None Accept pipeline input: False Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Caller has to be member of PDS administrators role. If not a member, Access Denied error is returned.