Search Results for

    Show / Hide Table of Contents

    Set-AdmPwdPdsAccessControlParameters

    SYNOPSIS

    Sets parameters of PDS service related to access control decisions for password reads and resets.

    SYNTAX

    Pds

    Set-AdmPwdPdsAccessControlParameters [-Pds] <PdsEndpoint> [[-HonorAllExtendedRights] <Boolean>] [[-HonorFullControl] <Boolean>] [[-HonorLocalGroupsFromRemoteComputerDomain] <Boolean>] [[-MandatoryGroups] <SecurityIdentifier[]>] [<CommonParameters>]
    

    PdsName

    Set-AdmPwdPdsAccessControlParameters [-PdsName] <String> [[-HonorAllExtendedRights] <Boolean>] [[-HonorFullControl] <Boolean>] [[-HonorLocalGroupsFromRemoteComputerDomain] <Boolean>] [[-MandatoryGroups] <SecurityIdentifier[]>] [<CommonParameters>]
    

    DESCRIPTION

    PDS supports the following switches that influence access control decisions:

    • HonorFullControl: allows password reads/resets also to principals who have Full Control permission on object
    • HonorAllExtendedRights: allows password reads/resets also to principals who have All Extended Rights permission on object
    • HonorLocalGroupsFromRemoteComputerDomain: In multi-domain AD forests, PDS reads local group membership of caller in domain to see if local group gives Read or Reset password permision, and honors such permissions.

    Flags are stored in PDS.config file and are managed by this command.

    This command also allows to specify mandatory group the caller of Read/Reset password operation has to be member of (in addition to being delegated Read/Reset password permission) so as PDS would honor the request. This allows for implementation of Just-In-Time or Authentication-Mechanism-Assurance techniques.

    EXAMPLES

    Example 1

    Get-AdmPwdPds | Set-AdmPwdPdsAccessControlParameters -HonorFullControl $true
    

    Instructs PDS to allow password reads and resets when caller has Full Control on object, regardless Read Password and Reset Password permissions

    Example 2

    Set-AdmPwdPdsAccessControlParameters -PdsName mypds.mydomain.com -HonorFullControl $false -HonorAllExtendedRights $false -MandatoryGroups @('S-1-5-21-3636654476-1539571741-3331717474-3115')
    

    Instructs PDS running on server mypds.mydomain.com to allow password reads and resets when caller has Read Password permission and in addition is member of the AD group with SID = S-1-5-21-3636654476-1539571741-3331717474-3115

    PARAMETERS

    -Pds

    Instance of PDS as returned by Get-AdmPwdPds command

    Type: PdsEndpoint
    Parameter Sets: Pds
    Aliases:
    
    Required: True
    Position: 0
    Default value: None
    Accept pipeline input: True (ByValue)
    Accept wildcard characters: False
    

    -PdsName

    Name of instance of PDS - DNS name of machine hosting PDS service

    Type: String
    Parameter Sets: PdsName
    Aliases:
    
    Required: True
    Position: 0
    Default value: None
    Accept pipeline input: True (ByValue)
    Accept wildcard characters: False
    

    -HonorAllExtendedRights

    Whether to understand 'All Extended Rights' AD permission as permission to Read and Reset the password.

    Type: Boolean
    Parameter Sets: (All)
    Aliases:
    
    Required: False
    Position: 1
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    

    -HonorFullControl

    Whether to understand 'Full Control' permission as permission to Read and Reset the password.

    Type: Boolean
    Parameter Sets: (All)
    Aliases:
    
    Required: False
    Position: 2
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    

    -HonorLocalGroupsFromRemoteComputerDomain

    Whether to perform extended discovery of domain local groups caller is member of when performing access check

    Type: Boolean
    Parameter Sets: (All)
    Aliases:
    
    Required: False
    Position: 3
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    

    -MandatoryGroups

    List of additional groups user must be member of to successfully read or reset the password.
    Particularly usable for scenarios such as JIT or AMA.

    Type: SecurityIdentifier[]
    Parameter Sets: (All)
    Aliases:
    
    Required: False
    Position: 4
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    

    CommonParameters

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    INPUTS

    AdmPwd.Types.PdsEndpoint

    System.String

    System.Boolean

    System.Security.Principal.SecurityIdentifier

    OUTPUTS

    NOTES

    Caller must hold PDS Admin role for the call to succeed.

    RELATED LINKS

    • Improve this Doc
    ☀
    ☾
    Back to top Generated by DocFX