ActiveDirectory/ActiveDirectory/en-US/Microsoft.ActiveDirectory.Management.dll-help.xml
<?xml version = "1.0" encoding = "utf-8" ?>
<helpItems schema="maml"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADCentralAccessPolicyMember</command:name><maml:description><maml:para>Adds central access rules to a central access policy in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADCentralAccessPolicyMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADCentralAccessPolicyMember cmdlet adds central access rules to a central access policy in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADCentralAccessPolicyMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of central access rule (CAR) objects in a comma-separated list to add to a central access policy (CAP). To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Name </maml:para><maml:para>Example: Finance Documents Rule </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two CARs to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Corporate Documents Rule" </maml:para><maml:para>This example specifies two CARs that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $carObject, $carObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADCentralAccessRule[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of central access rule (CAR) objects in a comma-separated list to add to a central access policy (CAP). To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Name </maml:para><maml:para>Example: Finance Documents Rule </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two CARs to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Corporate Documents Rule" </maml:para><maml:para>This example specifies two CARs that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $carObject, $carObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADCentralAccessRule[]</command:parameterValue><dev:type><maml:name>ADCentralAccessRule[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADCentralAccessPolicy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified ADCentralAccessPolicy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADCentralAccessPolicyMember "Finance Policy" -Member "Finance Documents Rule","Corporate Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds the central access rules 'Finance Documents Rule' and 'Corporate Documents Rule' to the central access policy 'Finance Policy'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADCentralAccessPolicyMember cmdlet Add-ADCentralAccessPolicyMember at command pipeline position 1 Supply values for the following parameters: Identity: Finance Policy Members[0]: Finance Documents Rule Members[1]: Corporate Documents Rule Members[2]: </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Demonstrates default behavior for this cmdlet (no parameters specified). Adds central access rules 'Finance Documents Rule' and 'Corporate Documents Rule' to the central access policy 'Finance Policy'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy -Filter { Name -like "Corporate*" } | Add-ADCentralAccessPolicyMember -Members "Corporate Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all central access policies that have a name that starts with "Corporate" and then pipes it to Add-ADCentralAccessPolicyMember, which then adds the central access rule with the name 'Corporate Documents Rule' to it. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291002</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADComputerServiceAccount</command:name><maml:description><maml:para>Adds one or more service accounts to an Active Directory computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADComputerServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADComputerServiceAccount cmdlet adds one or more computer service accounts to an Active Directory computer. </maml:para><maml:para>The Computer parameter specifies the Active Directory computer that will host the new service accounts. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Computer parameter to a computer object variable, such as $<localComputerobject>, or pass a computer object through the pipeline to the Computer parameter. For example, you can use the Get-ADComputer cmdlet to retrieve a computer object and then pass the object through the pipeline to the Add-ADComputerServiceAccount cmdlet. </maml:para><maml:para>The ServiceAccount parameter specifies the service accounts to add. You can identify a service account by its distinguished name (DN), GUID, Security Identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify service account object variables, such as $<localServiceAccountObject>. If you are specifying more than one account, use a comma-separated list. </maml:para><maml:para>Note: Adding a service account is a different operation than installing the service account locally. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADComputerServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Computer"><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>ServiceAccount</maml:name><maml:description><maml:para>Specifies one or more Active Directory service accounts. You can identify a service account by using one of the following property values: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=serviceadmin,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: serviceadmin </maml:para><maml:para>The following example shows how to specify a service account for this parameter using the SAM Account Name. </maml:para><maml:para>-ServiceAccount "serviceAdminEurope" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADServiceAccount[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Computer"><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>ServiceAccount</maml:name><maml:description><maml:para>Specifies one or more Active Directory service accounts. You can identify a service account by using one of the following property values: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=serviceadmin,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: serviceadmin </maml:para><maml:para>The following example shows how to specify a service account for this parameter using the SAM Account Name. </maml:para><maml:para>-ServiceAccount "serviceAdminEurope" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADServiceAccount[]</command:parameterValue><dev:type><maml:name>ADServiceAccount[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object is received by the Computer parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified computer object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Add the service account 'SvcAcct1' to a Computer Account 'ComputerAcct1' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1,SvcAcct2 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Add 2 service accounts 'SvcAcct1,SvcAcct2' to a Computer Account 'ComputerAcct1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291003</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADDomainControllerPasswordReplicationPolicy</command:name><maml:description><maml:para>Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADDomainControllerPasswordReplicationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADDomainControllerPasswordReplicationPolicy cmdlet adds one or more users, computers, and groups to the allowed or denied list of a read-only domain controller (RODC) password replication policy. </maml:para><maml:para>The Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. You can identify a domain controller by its GUID, IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object of the server object, the GUID of the NTDS settings object of the server object under the configuration partition, or the DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as $<localDomainControllerobject>, or pass a domain controller object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController cmdlet to get a domain controller object and then pass the object through the pipeline to the Add-ADDomainControllerPasswordReplicationPolicy cmdlet. You must specify a read-only domain controller. If you specify a writeable domain controller for this parameter, the cmdlet returns a non-terminating error. </maml:para><maml:para>The AllowedList parameter specifies the users, computers, and groups to add to the allowed list. Similarly, the DeniedList parameter specifies the users, computers, and groups to add to the denied list. You must specify either one or both of the AllowedList and DeniedList parameters. You can identify a user, computer, or group by distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify user, computer, or group variables, such as $<localUserObject>. If you are specifying more than one item, use a comma-separated list. If a specified user, computer, or group is not on the allowed or denied list, the cmdlet does not return an error. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADDomainControllerPasswordReplicationPolicy</maml:name><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A read-only domain controller (RODC) object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None.</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -AllowedList "JesperAaberg", "AdrianaAdams" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds user accounts to the Allowed list on a given RODC with the specified SamAccountNames. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -DeniedList "MichaelAllen", "ElizabethAndersen" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds user accounts to the Allowed list on a given RODC with the specified SamAccountNames. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291004</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomainController</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADFineGrainedPasswordPolicySubject</command:name><maml:description><maml:para>Applies a fine-grained password policy to one more users and groups.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADFineGrainedPasswordPolicySubject</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADFineGrainedPasswordPolicySubject cmdlet applies a fine-grained password policy to one or more global security groups and users. </maml:para><maml:para>The Identity parameter specifies the fine-grained password policy to apply. You can identify a fine-grained password policy by its distinguished name, GUID or name. You can also set the Identity parameter to a fine-grained password policy object variable, such as $<localPasswordPolicyObject>, or pass a fine-grained password policy object through the pipeline to the Identity parameter. For example, you can use the Get-ADFineGrainedPasswordPolicy cmdlet to get a fine-grained password policy object and then pass the object through the pipeline to the Add-ADFineGrainedPasswordPolicySubject cmdlet. </maml:para><maml:para>The Subjects parameter specifies the users and global security groups. You can identify a user or global security group by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify user and global security group object variables, such as $<localUserObject>. If you are specifying more than one user or group, use a comma-separated list. To pass user and global security group objects through the pipeline to the Subjects parameter, use the Get-ADUser or the Get-ADGroup cmdlets to retrieve the user or group objects, and then pass these objects through the pipeline to the Add-ADFineGrainedPasswordPolicySubject cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADFineGrainedPasswordPolicySubject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="2" aliases=""><maml:name>Subjects</maml:name><maml:description><maml:para>Specifies one or more users or groups. To specify more than one user or group, use a comma-separated list. You can identify a user or group by one of the following property values. </maml:para><maml:para>Distinguished Name (DN) </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following example shows how to set this parameter to a list of users and groups by using a distinguished name and SAM account names. </maml:para><maml:para>-Subjects "CN=SaraDavis, CN=Users,DC=corp,DC=contoso,DC=com","donhall","saradavisreports" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="2" aliases=""><maml:name>Subjects</maml:name><maml:description><maml:para>Specifies one or more users or groups. To specify more than one user or group, use a comma-separated list. You can identify a user or group by one of the following property values. </maml:para><maml:para>Distinguished Name (DN) </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following example shows how to set this parameter to a list of users and groups by using a distinguished name and SAM account names. </maml:para><maml:para>-Subjects "CN=SaraDavis, CN=Users,DC=corp,DC=contoso,DC=com","donhall","saradavisreports" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy, Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine-grained password policy object is received by the Identity parameter. One or more principal objects that represent users and security group objects are received by the Subjects parameter. Derived principal types, such as the following are also accepted by the Subjects parameter: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified fine-grained password policy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADFineGrainedPasswordPolicySubject DomainUsersPSO -Subjects 'Domain Users' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply the Fine-Grained Password Policy named DomainUsersPSO to a Global Security Group 'Domain Users'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO -Subjects BobKe,KimAb </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply the Fine-Grained Password Policy named DlgtdAdminsPSO to two users, with SamAccountNames BobKe and KimAb. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO -Subjects DlgtdAdminGroup </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply the Fine-Grained Password Policy named DlgtdAdminsPSO to the group DlgtdAdminGroup. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADGroup -Filter {lastname -eq "John"} | Add-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply the Fine-Grained Password Policy named DlgtdAdminsPSO to any users whose last names is John. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291005</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADGroupMember</command:name><maml:description><maml:para>Adds one or more members to an Active Directory group.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADGroupMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADGroupMember cmdlet adds one or more users, groups, service accounts, or computers as new members of an Active Directory group. </maml:para><maml:para>The Identity parameter specifies the Active Directory group that receives the new members. You can identify a group by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify group object variable, such as $<localGroupObject>, or pass a group object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to get a group object and then pass the object through the pipeline to the Add-ADGroupMember cmdlet. </maml:para><maml:para>The Members parameter specifies the new members to add to a group. You can identify a new member by its distinguished name (DN), GUID, security identifier (SID) or SAM account name. You can also specify user, computer, and group object variables, such as $<localUserObject>. If you are specifying more than one new member, use a comma-separated list. You cannot pass user, computer, or group objects through the pipeline to this cmdlet. To add user, computer, or group objects to a group by using the pipeline, use the Add-ADPrincipalGroupMembership cmdlet. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADGroupMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of user, group, and computer objects in a comma-separated list to add to a group. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies a user and group to add by specifying the distinguished name and the SAM Account Name properties. </maml:para><maml:para>-Members "CN=SaraDavis,CN=employees,CN=Users,DC=contoso,DC=com", "saradavisreports" </maml:para><maml:para>This example specifies a user and a group object that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $userObject, $groupObject </maml:para><maml:para>The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of user, group, and computer objects in a comma-separated list to add to a group. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies a user and group to add by specifying the distinguished name and the SAM Account Name properties. </maml:para><maml:para>-Members "CN=SaraDavis,CN=employees,CN=Users,DC=contoso,DC=com", "saradavisreports" </maml:para><maml:para>This example specifies a user and a group object that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $userObject, $groupObject </maml:para><maml:para>The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADGroupMember SvcAccPSOGroup SQL01,SQL02 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds the user accounts with SamAccountNames SQL01,SQL02 to the group SvcAccPSOGroup. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADGroupMember cmdlet Add-ADGroupMember at command pipeline position 1 Supply values for the following parameters: Identity: RodcAdmins Members[0]: JohnSmith Members[1]: JeffPrice Members[2]: </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Demonstrates default behavior for this cmdlet (no parameters specified). Adds user accounts with SamAccountNames JohnSmith and JeffPrice to the group RodcAdmins. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADGroup -Server localhost:60000 -SearchBase "OU=AccountDeptOU,DC=AppNC" -filter { name -like "AccountLeads" } | Add-ADGroupMember -Members "CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets a group from the Organizational Unit "OU=AccountDeptOU,DC=AppNC" in the AD LDS instance localhost:60000 that has the name "AccountLeads" and then pipes it to Add-ADGroupMember, which then adds the user account with DistinguishedName "CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC" to it. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$user = Get-ADUser "CN=Glen John,OU=UserAccounts,DC=NORTHAMERICA,DC=FABRIKAM,DC=COM" -Server "northamerica.fabrikam.com"; $group = Get-ADGroup "CN=AccountLeads,OU=UserAccounts,DC=EUROPE,DC=FABRIKAM,DC=COM -Server "europe.fabrikam.com"; Add-ADGroupMember $group -Member $user -Server "europe.fabrikam.com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds the user "CN=Glen John,OU=UserAccounts" from the North America domain to the group "CN=AccountLeads,OU=UserAccounts" in the Europe domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291006</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADPrincipalGroupMembership</command:name><maml:description><maml:para>Adds a member to one or more Active Directory groups.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADPrincipalGroupMembership</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADPrincipalGroupMembership cmdlet adds a user, group, service account, or computer as a new member to one or more Active Directory groups. </maml:para><maml:para>The Identity parameter specifies the new user, computer, or group to add. You can identify the user, group, or computer by its distinguished name (DN), GUID, security identifier (SID), or SAM account name. You can also specify a user, group, or computer object variable, such as $<localGroupObject>, or pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to get a group object and then pass the object through the pipeline to the Add-ADPrincipalGroupMembership cmdlet. Similarly, you can use Get-ADUser or Get-ADComputer to get user and computer objects to pass through the pipeline. </maml:para><maml:para>This cmdlet collects all of the user, computer and group objects from the pipeline, and then adds these objects to the specified group by using one Active Directory operation. </maml:para><maml:para>The MemberOf parameter specifies the groups that receive the new member. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also specify group object variable, such as $<localGroupObject>. To specify more than one group, use a comma-separated list. You cannot pass group objects through the pipeline to the MemberOf parameter. To add to a group by passing the group through the pipeline, use the Add-ADGroupMember cmdlet. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADPrincipalGroupMembership</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a principal object instance named "principalInstance". </maml:para><maml:para>-Identity $principalInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>MemberOf</maml:name><maml:description><maml:para>Specifies the Active Directory groups to add a user, computer, or group to as a member. You can identify a group by providing one of the following values. Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,CN=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>If you are specifying more than one group, use commas to separate the groups in the list. </maml:para><maml:para>The following example shows how to specify this parameter by using SAM account name values. </maml:para><maml:para>-MemberOf "SaraDavisGroup", "JohnSmithGroup" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADGroup[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a principal object instance named "principalInstance". </maml:para><maml:para>-Identity $principalInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>MemberOf</maml:name><maml:description><maml:para>Specifies the Active Directory groups to add a user, computer, or group to as a member. You can identify a group by providing one of the following values. Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,CN=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>If you are specifying more than one group, use commas to separate the groups in the list. </maml:para><maml:para>The following example shows how to specify this parameter by using SAM account name values. </maml:para><maml:para>-MemberOf "SaraDavisGroup", "JohnSmithGroup" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADGroup[]</command:parameterValue><dev:type><maml:name>ADGroup[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A principal object (Microsoft.ActiveDirectory.Management.ADPrincipal) that represents a user, computer or group is received by the Identity parameter. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns a principal object that represents the modified user, computer or group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADPrincipalGroupMembership -Identity SQLAdmin1 -MemberOf DlgtdAdminsPSOGroup </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds the user with SamAccountName "SQLAdmin1" to the group "DlgtdAdminsPSOGroup". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter 'Name -like "*SvcAccount*"' | Add-ADPrincipalGroupMembership -MemberOf SvcAccPSOGroup </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all users with "SvcAccount" in their name and adds it to the group "SvcAccPSOGroup". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADPrincipalGroupMembership cmdlet Add-ADPrincipalGroupMembership at command pipeline position 1 Supply values for the following parameters: Identity: JeffPrice MemberOf[0]: RodcAdmins MemberOf[1]: Allowed RODC Password Replication Group MemberOf[2]: </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Demonstrates the default behavior of this cmdlet (no parameters specified). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Server localhost:60000 -SearchBase "DC=AppNC" -filter { Title -eq "Account Lead" -and Office -eq "Branch1" } | Add-ADPrincipalGroupMembership -MemberOf "CN=AccountLeads,OU=AccountDeptOU,DC=AppNC" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds all employees in "Branch1" in the AD LDS instance "localhost:60000" whose title is "Account Lead" to the group with the DistinguishedName "CN=AccountLeads,OU=AccountDeptOU,DC=AppNC". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291007</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Add-ADResourcePropertyListMember</command:name><maml:description><maml:para>Adds one or more resource properties to a resource property list in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Add</command:verb><command:noun>ADResourcePropertyListMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Add-ADResourcePropertyListMember adds one or more resource properties to a resource property list in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Add-ADResourcePropertyListMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of ADResourceProperty objects in a comma-separated list to add to a resource property list. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Name </maml:para><maml:para>Example: Country </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two resource properties to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Authors" </maml:para><maml:para>This example specifies two resource property objects that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $rpObject1, $rpObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADResourceProperty[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of ADResourceProperty objects in a comma-separated list to add to a resource property list. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Name </maml:para><maml:para>Example: Country </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two resource properties to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Authors" </maml:para><maml:para>This example specifies two resource property objects that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $rpObject1, $rpObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADResourceProperty[]</command:parameterValue><dev:type><maml:name>ADResourceProperty[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTypeList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADClaimTypeList object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTypeList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified ADClaimTypeList object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADResourcePropertyListMember "Global Resource Property List" -Members Country,Authors </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Adds the resource properties named "Country" and "Authors" to the global resource property list. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Add-ADResourcePropertyListMember cmdlet Add-ADResourcePropertyListMember at command pipeline position 1 Supply values for the following parameters: Identity: Corporate Resource Property List Members[0]: Country Members[1]: Authors Members[2]: </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Demonstrates default behavior for this cmdlet (no parameters specified). Adds the resource properties named "Country" and "Authors" to the resource property list named "Corporate Resource Property List". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList -Filter { Name -like "Corporate*" } | Add-ADResourcePropertyListMember -Members Country,Authors </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets any resource property list that has a name that begins with "Corporate" and then pipes it to Add-ADResourcePropertyListMember, which then adds the resource properties with the name 'Country' and 'Authors' to it. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291008</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Clear-ADAccountExpiration</command:name><maml:description><maml:para>Clears the expiration date for an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Clear</command:verb><command:noun>ADAccountExpiration</command:noun><dev:version /></command:details><maml:description><maml:para>The Clear-ADAccountExpiration cmdlet clears the expiration date for an Active Directory user or computer account. When you clear the expiration date for an account, the account does not expire. </maml:para><maml:para>The Identity parameter specifies the user or computer account to modify. You can identify a user or group by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to a user or computer object variable, such as $<localUserObject>, or pass a user or computer object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser, Get-ADComputer or Search-ADAccount cmdlet to retrieve an object and then pass the object through the pipeline to the Clear-ADAccountExpiration cmdlet. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Clear-ADAccountExpiration</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object (Microsoft.ActiveDirectory.Management.ADAccount) is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Clear-ADAccountExpiration -Identity JeffPrice </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Clears the account expiration date for the user with SamAccountName: JeffPrice. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Clear-ADAccountExpiration -Identity "CN=JeffPrice,DC=AppNC" -server "FABRIKAM-SVR1:60000" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Clears the account expiration date for the user with DistinguishedName: "CN=JeffPrice,DC=AppNC" on the AD LDS instance: "FABRIKAM-SVR1:60000". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291009</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Clear-ADClaimTransformLink</command:name><maml:description><maml:para>Removes a claims transformation from being applied to one or more cross-forest trust relationships in Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Clear</command:verb><command:noun>ADClaimTransformLink</command:noun><dev:version /></command:details><maml:description><maml:para>The Clear-ADClaimTransformLink cmdlet removes a claims transformation from being applied to one or more cross-forest trust relationships in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Clear-ADClaimTransformLink</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory trust object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=fabikam.com,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADTrustInstance". </maml:para><maml:para>-Identity $ADTrustInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrust</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Policy</maml:name><maml:description><maml:para>Removes the specified claim transformation policy from being applied to the trust relationship. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustRole</maml:name><maml:description><maml:para>Specifies the role of the current forest in the trust relationship specified by the Identity parameter. The allowable values for this parameter are as follows: </maml:para><maml:para>- Trusted (specify this value if the current forest is the trusted forest) </maml:para><maml:para>- Trusting (specify this value if the current forest is the trusting forest) </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Trusted</command:parameterValue><command:parameterValue required="true" variableLength="false">Trusting</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory trust object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=fabikam.com,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADTrustInstance". </maml:para><maml:para>-Identity $ADTrustInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrust</command:parameterValue><dev:type><maml:name>ADTrust</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Policy</maml:name><maml:description><maml:para>Removes the specified claim transformation policy from being applied to the trust relationship. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustRole</maml:name><maml:description><maml:para>Specifies the role of the current forest in the trust relationship specified by the Identity parameter. The allowable values for this parameter are as follows: </maml:para><maml:para>- Trusted (specify this value if the current forest is the trusted forest) </maml:para><maml:para>- Trusting (specify this value if the current forest is the trusting forest) </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrustRole</command:parameterValue><dev:type><maml:name>ADTrustRole</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADTrust</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object (Microsoft.ActiveDirectory.Management.ADTrust) is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Clear-ADClaimTransformLink "corp.contoso.com" -Policy DenyAllPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the policy named 'DenyAllPolicy' from the 'corp.contoso.com' trust. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Clear-ADClaimTransformLink "corp.contoso.com" -TrustRole Trusted </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove any policies that are applied to where this forest acts as the trusted forest in the "corp.contoso.com" trust. Effectively, this cmdlet removes any policies that are applied to claims flowing out of this forest towards it trust partner. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Clear-ADClaimTransformLink "corp.contoso.com" -Policy DenyAllPolicy -TrustRole Trusting </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove "DenyAllPolicy" that is applied to where this forest acts as the trusted domain in the "corp.contoso.com" trust. Effectively, this cmdlet removes "DenyAllPolicy" from applying to claims coming into this from its trust partner. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291010</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Disable-ADAccount</command:name><maml:description><maml:para>Disables an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Disable</command:verb><command:noun>ADAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Disable-ADAccount cmdlet disables an Active Directory user, computer, or service account. </maml:para><maml:para>The Identity parameter specifies the Active Directory user, computer service account, or other service account that you want to disable. You can identify an account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localADAccountObject>, or you can pass an account object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user account object and then pass the object through the pipeline to the Disable-Account cmdlet. Similarly, you can use Get-ADComputer and Search-ADAccount to retrieve account objects. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Disable-ADAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Disable-ADAccount -Identity KimAb </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disables the account with SamAccountName: KimAB. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Disable-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disables the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" | Disable-ADAccount </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disables all accounts in the OU: "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291011</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Clear-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Enable-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAccountAuthorizationGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountControl</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountPassword</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Unlock-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Disable-ADOptionalFeature</command:name><maml:description><maml:para>Disables an Active Directory optional feature.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Disable</command:verb><command:noun>ADOptionalFeature</command:noun><dev:version /></command:details><maml:description><maml:para>The Disable-ADOptionalFeature disables an Active Directory optional feature that is associated with a particular Domain Mode or Forest Mode. </maml:para><maml:para>The Identity parameter specifies the Active Directory optional feature that you want to disable. You can identify an optional feature by its distinguished name (DN), feature GUID, or object GUID. You can also set the parameter to an optional feature object variable, such as $<localOptionalFeatureObject> or you can pass an optional feature object through the pipeline to the Identity parameter. For example, you can use the Get-ADOptionalFeature cmdlet to retrieve an optional feature object and then pass the object through the pipeline to the Disable-ADOptionalFeature cmdlet. </maml:para><maml:para>The Scope parameter specifies the scope at which the optional feature is disabled. Possible values for this parameter are Domain and Forest. </maml:para><maml:para>The Target parameter specifies the domain or forest on which the optional feature is disabled. You can identify the domain or forest by its fully-qualified domain name (FQDN), NetBIOS name, or the distinguished name (DN) of the domain naming context (domain NC). </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Disable-ADOptionalFeature</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory optional feature object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>Feature GUID (featureGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Object GUID (objectGUID) </maml:para><maml:para>Example: 482ab21c-823e-401e-879a-ac7383d64eb9 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an optional feature object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to an optional feature object instance named "optionalFeatureInstance". </maml:para><maml:para>-Identity $optionalFeatureInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeature</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the scope at which the feature is enabled or disabled. Possible values for this parameter include: </maml:para><maml:para>Domain or 0 </maml:para><maml:para>Forest or 1 </maml:para><maml:para>The following example shows how to set this parameter so that optional features are enabled or disabled within the scope of the forest. </maml:para><maml:para>-Scope Forest </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Unknown</command:parameterValue><command:parameterValue required="true" variableLength="false">ForestOrConfigurationSet</command:parameterValue><command:parameterValue required="true" variableLength="false">Domain</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>Target</maml:name><maml:description><maml:para>Specifies the domain or forest in which to modify the optional feature. You can identify the target domain or forest by providing one of the following values: </maml:para><maml:para>Fully-qualified domain name of the forest or domain </maml:para><maml:para>Example: corp.Fabrikam.com </maml:para><maml:para>NetBIOS name of the forest or domain </maml:para><maml:para>Example: corp </maml:para><maml:para>Distinguished name of the domain naming context (domain NC) </maml:para><maml:para>Example: DC=corp,DC=Fabrikam,DC=com </maml:para><maml:para>The following example shows how to set this parameter to a domain NC. </maml:para><maml:para>-Target "DC=corp,DC=Fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADEntity</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory optional feature object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>Feature GUID (featureGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Object GUID (objectGUID) </maml:para><maml:para>Example: 482ab21c-823e-401e-879a-ac7383d64eb9 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an optional feature object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to an optional feature object instance named "optionalFeatureInstance". </maml:para><maml:para>-Identity $optionalFeatureInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeature</command:parameterValue><dev:type><maml:name>ADOptionalFeature</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the scope at which the feature is enabled or disabled. Possible values for this parameter include: </maml:para><maml:para>Domain or 0 </maml:para><maml:para>Forest or 1 </maml:para><maml:para>The following example shows how to set this parameter so that optional features are enabled or disabled within the scope of the forest. </maml:para><maml:para>-Scope Forest </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeatureScope</command:parameterValue><dev:type><maml:name>ADOptionalFeatureScope</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>Target</maml:name><maml:description><maml:para>Specifies the domain or forest in which to modify the optional feature. You can identify the target domain or forest by providing one of the following values: </maml:para><maml:para>Fully-qualified domain name of the forest or domain </maml:para><maml:para>Example: corp.Fabrikam.com </maml:para><maml:para>NetBIOS name of the forest or domain </maml:para><maml:para>Example: corp </maml:para><maml:para>Distinguished name of the domain naming context (domain NC) </maml:para><maml:para>Example: DC=corp,DC=Fabrikam,DC=com </maml:para><maml:para>The following example shows how to set this parameter to a domain NC. </maml:para><maml:para>-Target "DC=corp,DC=Fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADEntity</command:parameterValue><dev:type><maml:name>ADEntity</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADOptionalFeature</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An optional feature object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Disable-ADOptionalFeature 'Feature 1' -Scope ForestOrConfigurationSet -Target 'fabrikam' -Server DC1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disable the optional feature (name 'Feature 1') for the forest (NetBIOS name 'fabrikam'). This operation should be performed against the DC that holds the naming master FSMO role. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Disable-ADOptionalFeature -Identity 'CN=Feature 1,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=fabrikam,DC=com' -Scope ForestOrConfigurationSet -Target 'fabrikam.com' -Server DC1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disable the optional feature (dn 'CN=Feature 1,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=fabrikam,DC=com') for the forest (FQDN name 'fabrikam.com'). This operation should be performed against the DC that holds the naming master FSMO role. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Disable-ADOptionaFeature -Identity '54ec6e43-75a8-445b-aa7b-346a1e096659' -Scope Domain -Target 'DC=fabrikam,DC=com' -Server DC1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disable the optional feature (feature GUID '54ec6e43-75a8-445b-aa7b-346a1e096659') for the domain (dn 'DC=ntdev,DC=fabrikam,DC=com'). This operation should be performed against the DC that holds the naming master FSMO role. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Disable-ADOptionalFeature 'Feature 1' -Scope ForestOrConfigurationSet -Target 'CN=Configuration,CN={0241853A-6BBF-48AA-8AE0-9C35D0C91B7B}' -server server1:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disable the optional feature (name 'Feature 1') for the AD LDS instance (dn 'CN=Configuration,CN={0241853A-6BBF-48AA-8AE0-9C35D0C91B7B}'). This operation should be performed against the AD LDS instance that holds the naming master FSMO role. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291012</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Enable-ADOptionalFeature</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADOptionalFeature</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Enable-ADAccount</command:name><maml:description><maml:para>Enables an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Enable</command:verb><command:noun>ADAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Enable-ADAccount cmdlet enables an Active Directory user, computer or service account. </maml:para><maml:para>The Identity parameter specifies the Active Directory user, computer or service account that you want to enable. You can identify an account by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localADAccountObject>, or you can pass an account object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve an account object and then pass the object through the pipeline to the Enable-ADAccount cmdlet. Similarly, you can use Get-ADComputer and Search-ADAccount to retrieve account objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Enable-ADAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None </maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Enable-ADAccount -Identity KimAb </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Enables the account with SamAccountName: KimAb. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Enable-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Enables the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" | Enable-ADAccount </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Disables all accounts in the OU: "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291013</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Clear-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Disable-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAccountAuthorizationGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountControl</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountPassword</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Unlock-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Enable-ADOptionalFeature</command:name><maml:description><maml:para>Enables an Active Directory optional feature.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Enable</command:verb><command:noun>ADOptionalFeature</command:noun><dev:version /></command:details><maml:description><maml:para>The Enable-ADOptionalFeature enables an Active Directory optional feature that is associated with a particular Domain mode or Forest mode. Active Directory optional features that depend on a specified domain mode or Forest mode must be explicitly enabled after the domain mode or forest mode is set. </maml:para><maml:para>The Identity parameter specifies the Active Directory optional feature that you want to enable. You can identify an optional feature by its distinguished name (DN), feature GUID, or object GUID. You can also set the parameter to an optional feature object variable, such as $<localOptionalFeatureObject> or you can pass an optional feature object through the pipeline to the Identity parameter. For example, you can use the Get-ADOptionalFeature cmdlet to retrieve an optional feature object and then pass the object through the pipeline to the Enable-ADOptionalFeature cmdlet. </maml:para><maml:para>The Scope parameter specifies the scope at which the optional feature will be enabled. Possible values for this parameter are Domain and Forest. </maml:para><maml:para>The Target parameter specifies the domain or forest on which the optional feature will be enabled. You can identify the domain or forest by its fully-qualified domain name (FQDN), NetBIOS name, or distinguished name (DN) of the domain naming context (domain NC). </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Enable-ADOptionalFeature</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory optional feature object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>Feature GUID (featureGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Object GUID (objectGUID) </maml:para><maml:para>Example: 482ab21c-823e-401e-879a-ac7383d64eb9 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an optional feature object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to an optional feature object instance named "optionalFeatureInstance". </maml:para><maml:para>-Identity $optionalFeatureInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeature</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the scope at which the feature is enabled or disabled. Possible values for this parameter include: </maml:para><maml:para>Domain or 0 </maml:para><maml:para>Forest or 1 </maml:para><maml:para>The following example shows how to set this parameter so that optional features are enabled or disabled within the scope of the forest. </maml:para><maml:para>-Scope Forest </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Unknown</command:parameterValue><command:parameterValue required="true" variableLength="false">ForestOrConfigurationSet</command:parameterValue><command:parameterValue required="true" variableLength="false">Domain</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>Target</maml:name><maml:description><maml:para>Specifies the domain or forest in which to modify the optional feature. You can identify the target domain or forest by providing one of the following values: </maml:para><maml:para>Fully-qualified domain name of the forest or domain </maml:para><maml:para>Example: corp.Fabrikam.com </maml:para><maml:para>NetBIOS name of the forest or domain </maml:para><maml:para>Example: corp </maml:para><maml:para>You can also where Scope is set to domain (not forest), use the following: </maml:para><maml:para>Distinguished name (DN) of the domain naming context (domain NC) </maml:para><maml:para>Example: DC=corp,DC=Fabrikam,DC=com </maml:para><maml:para>The following example shows how to set this parameter using a DN to a domain NC when the scope of the command is set to forest level. </maml:para><maml:para>-Target "DC=corp,DC=Fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADEntity</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory optional feature object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>Feature GUID (featureGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Object GUID (objectGUID) </maml:para><maml:para>Example: 482ab21c-823e-401e-879a-ac7383d64eb9 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an optional feature object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to an optional feature object instance named "optionalFeatureInstance". </maml:para><maml:para>-Identity $optionalFeatureInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeature</command:parameterValue><dev:type><maml:name>ADOptionalFeature</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the scope at which the feature is enabled or disabled. Possible values for this parameter include: </maml:para><maml:para>Domain or 0 </maml:para><maml:para>Forest or 1 </maml:para><maml:para>The following example shows how to set this parameter so that optional features are enabled or disabled within the scope of the forest. </maml:para><maml:para>-Scope Forest </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeatureScope</command:parameterValue><dev:type><maml:name>ADOptionalFeatureScope</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>Target</maml:name><maml:description><maml:para>Specifies the domain or forest in which to modify the optional feature. You can identify the target domain or forest by providing one of the following values: </maml:para><maml:para>Fully-qualified domain name of the forest or domain </maml:para><maml:para>Example: corp.Fabrikam.com </maml:para><maml:para>NetBIOS name of the forest or domain </maml:para><maml:para>Example: corp </maml:para><maml:para>You can also where Scope is set to domain (not forest), use the following: </maml:para><maml:para>Distinguished name (DN) of the domain naming context (domain NC) </maml:para><maml:para>Example: DC=corp,DC=Fabrikam,DC=com </maml:para><maml:para>The following example shows how to set this parameter using a DN to a domain NC when the scope of the command is set to forest level. </maml:para><maml:para>-Target "DC=corp,DC=Fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADEntity</command:parameterValue><dev:type><maml:name>ADEntity</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADOptionalFeature</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An optional feature object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>Recycle Bin Feature: Once the Active Directory Recycle Bin is enabled, all objects deleted before the Active Directory Recycle Bin was enabled (tombstone objects) become recycled objects. They are no longer visible in the Deleted Objects container and they cannot be recovered using Active Directory Recycle Bin. The only way to restore these objects is though an authoritative restore from an AD DS backup taken before the Active Directory Recycle Bin was enabled. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'fabrikam.com' -server dc1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Enable the optional feature 'Recycle Bin Feature' for the forest 'fabrikam.com'. This operation must be performed on the Domain Controller that holds the naming master FSMO role. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Enable-ADOptionalFeature 'Feature 1' -Scope ForestOrConfigurationSet -Target 'CN=Configuration,CN={0241853A-6BBF-48AA-8AE0-9C35D0C91B7B}' -server lds.fabrikam.com:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Enable the optional feature 'Recycle Bin Feature' for the AD LDS instance lds.fabrikam.com. This operation must be performed on the AD LDS instance that holds the naming master FSMO role. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADObject -Identity "CN=Partitions,CN=Configuration,CN={4F971828-5BE4-4E94-B532-58F2BFB6A3A5}" -replace @{"msDS-Behavior-Version"=4} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the ForestMode (Forest Functional Level) to Windows2008R2Forest on an AD LDS instance. The ForestMode must be Windows2008R2Forest or higher in order to enable the Recycle Bin Feature for AD LDS. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291014</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Disable-ADOptionalFeature</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADOptionalFeature</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADAccountAuthorizationGroup</command:name><maml:description><maml:para>Gets the accounts token group information.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADAccountAuthorizationGroup</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADAuthorizationGroup cmdlet gets the security groups from the specified user, computer or service accounts token. This cmdlet requires a global catalog to perform the group search. If the forest that contains the account does not have a global catalog, the cmdlet returns a non-terminating error. </maml:para><maml:para>The Identity parameter specifies the user, computer, or service account. You can identify a user, computer, or service account object by its distinguished name (DN), GUID, security identifier (SID), Security Account Manager (SAM) account name or user principal name. You can also set the Identity parameter to an account object variable, such as $<localAccountobject>, or pass an account object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser, Get-ADComputer, Get-ADServiceAccount or Search-ADAccount cmdlets to retrieve an account object and then pass the object through the pipeline to the Get-ADAccountAuthorizationGroup cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADAccountAuthorizationGroup</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object that represents the user, computer or service account is received by the Identity parameter. Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns group objects that represent the security groups for the account. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADAccountAuthorizationGroup GlenJohn GroupScope : DomainLocal objectGUID : 00000000-0000-0000-0000-000000000000 GroupCategory : Security SamAccountName : Everyone name : Everyone objectClass : SID : S-1-1-0 distinguishedName : GroupScope : DomainLocal objectGUID : 00000000-0000-0000-0000-000000000000 GroupCategory : Security SamAccountName : Authenticated Users name : Authenticated Users objectClass : SID : S-1-5-11 distinguishedName : GroupScope : Global objectGUID : 86c0f0d5-8b4d-4f35-a867-85a006b92902 GroupCategory : Security SamAccountName : Domain Users name : Domain Users objectClass : group SID : S-1-5-21-41432690-3719764436-1984117282-513 distinguishedName : CN=Domain Users,CN=Users,DC=Fabrikam,DC=com GroupScope : DomainLocal objectGUID : 869fb7ad-8cf2-4dd0-ac0f-4bd3bf324669 GroupCategory : Security SamAccountName : Pre-Windows 2000 Compatible Access name : Pre-Windows 2000 Compatible Access objectClass : group SID : S-1-5-32-554 distinguishedName : CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=Fabrikam,DC=com GroupScope : DomainLocal objectGUID : c1e397c5-1e44-4270-94d1-88d6c4b78ee6 GroupCategory : Security SamAccountName : Users name : Users objectClass : group SID : S-1-5-32-545 distinguishedName : CN=Users,CN=Builtin,DC=Fabrikam,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all security groups for the specified account with SamAccountName: GlenJohn. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADAccountAuthorizationGroup "cn=GlenJohn,dc=AppNC" -Server <Server>:50000 distinguishedName : CN=AdminGroup,DC=AppNC GroupCategory : Security GroupScope : Global name : AdminGroup objectClass : group objectGUID : 4d72873f-fe09-4834-9ada-a905636d10df SamAccountName : SID : S-1-510474493-936115905-4021890855-1253703389-3958791574-3542197427 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all security groups for the specified account with DistinguishedName: "cn=GlenJohn,dc=AppNC" in the AD LDS instance: <Server>:50000. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADAccountAuthorizationGroup -Server <Server>:50000 -Identity Administrator | where { $_.objectClass -ne $null } | ft name, objectClass name objectClass ---- ----------- Domain Users group Administrators group Users group Pre-Windows 2000 Compatible Access group Group Policy Creator Owners group Domain Admins group Enterprise Admins group Schema Admins group Denied RODC Password Replication Group group </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns a filtered list of built-in security groups which do not have an empty or null setting for objectclass (such as Everyone or Authenticated Users). (Note: This type of filtering of groups in output can be useful when piping the output of this cmdlet to be used as input to other Active Directory cmdlets.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291015</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADAccountResultantPasswordReplicationPolicy</command:name><maml:description><maml:para>Gets the resultant password replication policy for an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADAccountResultantPasswordReplicationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADAccountResultantPasswordReplicationPolicy gets the resultant password replication policy for a user, computer or service account on the specified read-only domain controller. </maml:para><maml:para>The policy will be one of the following values: </maml:para><maml:para>Allow or 1 </maml:para><maml:para>DenyExplicit or 0 </maml:para><maml:para>DenyImplicit or 2 </maml:para><maml:para>Unknown or -1 </maml:para><maml:para>The Identity parameter specifies the account. You can identify a user, computer, or service account object by its distinguished name (DN), GUID, security identifier (SID) or Security Account Manager (SAM) account name. You can also set the Identity parameter to an account object variable, such as $<localAccountobject>, or pass an account object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser, Get-ADComputer, Get-ADServiceAccount or Search-ADAccount cmdlets to retrieve an account object and then pass the object through the pipeline to the Get-ADAccountResultantPasswordReplicationPolicy cmdlet. </maml:para><maml:para>The DomainController parameter specifies the read-only domain controller. You can identify a domain controller by its IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server object under the configuration partition, or the DN, SamAccountName, GUID, SID of the computer object that represents the domain controller. You can also set the DomainController parameter to a domain controller object variable, such as $<localDomainControllerObject>. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADAccountResultantPasswordReplicationPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>DomainController</maml:name><maml:description><maml:para>Specifies a read-only domain controller (RODC). The cmdlet returns the password replication policy of the account for this RODC. You can identify the domain controller by providing one of the following values. </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>IPV4Address </maml:para><maml:para>Example:157.59.132.61 </maml:para><maml:para>Global IPV6Address </maml:para><maml:para>Example: 2001:4898:0:fff:200:5efe:157.59.132.61 </maml:para><maml:para>DNS Host Name (dNSHostName) </maml:para><maml:para>Example: corp-DC01.corp.contoso.com </maml:para><maml:para>Name of the server object </maml:para><maml:para>Example: corp-DC01$ </maml:para><maml:para>Distinguished Name (DN) of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name (DN) of the server object that represents the domain controller </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 68adaf21-e28d-6012-bca8-320d93450ab0 </maml:para><maml:para>GUID of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Distinguished Name (DN) of the computer object that represents the domain controller. </maml:para><maml:para>Example: CN=CORP-DC12,OU=Domain Controllers,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>The following example shows how to set this parameter to the DNS host name of a domain controller. </maml:para><maml:para>-DomainController "corp-DC01.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomainController</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>DomainController</maml:name><maml:description><maml:para>Specifies a read-only domain controller (RODC). The cmdlet returns the password replication policy of the account for this RODC. You can identify the domain controller by providing one of the following values. </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>IPV4Address </maml:para><maml:para>Example:157.59.132.61 </maml:para><maml:para>Global IPV6Address </maml:para><maml:para>Example: 2001:4898:0:fff:200:5efe:157.59.132.61 </maml:para><maml:para>DNS Host Name (dNSHostName) </maml:para><maml:para>Example: corp-DC01.corp.contoso.com </maml:para><maml:para>Name of the server object </maml:para><maml:para>Example: corp-DC01$ </maml:para><maml:para>Distinguished Name (DN) of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name (DN) of the server object that represents the domain controller </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 68adaf21-e28d-6012-bca8-320d93450ab0 </maml:para><maml:para>GUID of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Distinguished Name (DN) of the computer object that represents the domain controller. </maml:para><maml:para>Example: CN=CORP-DC12,OU=Domain Controllers,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>The following example shows how to set this parameter to the DNS host name of a domain controller. </maml:para><maml:para>-DomainController "corp-DC01.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomainController</command:parameterValue><dev:type><maml:name>ADDomainController</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADResultantPasswordReplicationPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns an ADResultantPasswordReplicationPolicy enum value that represents the resultant password replication policy for an account on the specified domain controller. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADAccountResultantPasswordReplicationPolicy BradSu "FABRIKAM-RODC1" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the resultant password replication policy on the domain for a given user account. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADAccountResultantPasswordReplicationPolicy BobKe -DomainController "FABRIKAM-RODC1" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the resultant password replication policy on a specific domain controller for a given user account. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADAccountResultantPasswordReplicationPolicy "CN=Jordao Moreno,OU=Europe,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM" "FABRIKAM-RODC1" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the resultant password replication policy on a specific domain controller for a given user account DN. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291016</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADAuthenticationPolicy</command:name><maml:description><maml:para>Gets one or more Active Directory Domain Services authentication policies.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADAuthenticationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADAuthenticationPolicy cmdlet gets an authentication policy or performs a search to get authentication policies. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy to get. You can identify an authentication policy by its distinguished name (DN), GUID or name. You can also use the Identity parameter to specify a variable that contains an authentication policy object, or you can use the pipeline operator to pass an authentication policy object to the Identity parameter.</maml:para><maml:para>You can search for and use multiple authentication policies by specifying the Filter parameter or the LDAPFilter parameter. The Filter parameter uses the Windows PowerShell® expression language to write query strings for Active Directory Domain Services. Windows PowerShell expression language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADAuthenticationPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default value is 256 objects per page. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to get all of the objects, set this parameter to $Null. You can use Ctrl+C to stop the query and the return of objects. </maml:para><maml:para>The default value is $Null. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory Domain Services objects. This string uses the Windows PowerShell expression language syntax. The Windows PowerShell expression language syntax provides rich type-conversion support for value types received by the Filter parameter. </maml:para><maml:para>Specify the Filter parameter in one of the following formats: --To match a single filter element: {Attributeoperator "value"} --To match multiple filter elements: {(Attribute1operator1 "value1") joinOperator (Attribute2operator2 "value2")}</maml:para><maml:para>Windows PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax.</maml:para><maml:para>Valid filter operators are: -eq, -le, -ge, -ne, -lt, -gt, -approx, -bor, -band, -recursivematch, -like, -notlike </maml:para><maml:para>Valid join operators are: -and, -or </maml:para><maml:para>The not operator is -not </maml:para><maml:para>For a list of supported types for values, see about_ActiveDirectory_ObjectModel. For more information about the Filter parameter, see about_ActiveDirectory_Filter.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADAuthenticationPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADAuthenticationPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default value is 256 objects per page. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to get all of the objects, set this parameter to $Null. You can use Ctrl+C to stop the query and the return of objects. </maml:para><maml:para>The default value is $Null. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string used to filter Active Directory Domain Services objects. Use this parameter to run your existing LDAP queries. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory Domain Services objects. This string uses the Windows PowerShell expression language syntax. The Windows PowerShell expression language syntax provides rich type-conversion support for value types received by the Filter parameter. </maml:para><maml:para>Specify the Filter parameter in one of the following formats: --To match a single filter element: {Attributeoperator "value"} --To match multiple filter elements: {(Attribute1operator1 "value1") joinOperator (Attribute2operator2 "value2")}</maml:para><maml:para>Windows PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax.</maml:para><maml:para>Valid filter operators are: -eq, -le, -ge, -ne, -lt, -gt, -approx, -bor, -band, -recursivematch, -like, -notlike </maml:para><maml:para>Valid join operators are: -and, -or </maml:para><maml:para>The not operator is -not </maml:para><maml:para>For a list of supported types for values, see about_ActiveDirectory_ObjectModel. For more information about the Filter parameter, see about_ActiveDirectory_Filter.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string used to filter Active Directory Domain Services objects. Use this parameter to run your existing LDAP queries. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default value is 256 objects per page. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to get all of the objects, set this parameter to $Null. You can use Ctrl+C to stop the query and the return of objects. </maml:para><maml:para>The default value is $Null. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an authentication policy object.</maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAuthenticationPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more authentication policy objects. This cmdlet returns a default set of ADAuthenticationPolicy property values. To retrieve additional ADAuthenticationPolicy properties, use the Properties parameter.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Get an authentication policy</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -Identity AuthenticationPolicy01 </dev:code><dev:remarks><maml:para>This command gets an authentication policy object by specifying the object name. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Get an authentication policy by using an LDAP filter</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -LDAPFilter "(name=AuthenticationPolicy*)" -Server Server01.Contoso.com </dev:code><dev:remarks><maml:para>This command gets all authentication policies that match the LDAP filter specified by the LDAPFilter parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 3: Get an authentication policy by using a filter</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -Filter "Name -like 'AuthenticationPolicy*'" -Server Server02.Contoso.com </dev:code><dev:remarks><maml:para>This command gets all authentication policies that match the filter specified by the Filter parameter.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 4: Get all authentication policy objects that match a filter</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -Filter * | Format-Table Name, Enforce -AutoSize Name Enforce ---- ------- AuthenticationPolicy1 False AuthenticationPolicy2 False </dev:code><dev:remarks><maml:para>This command gets all the authentication policies available. The output is then passed to the Format-Table cmdlet to display the name of the policy and the value for Enforce on each policy. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 5: Get all properties for an authentication policy </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -Identity "AuthenticationPolicy01" -Properties "*" </dev:code><dev:remarks><maml:para>This command gets all properties of the authentication policy specified by the Identity parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=288129</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADAuthenticationPolicySilo</command:name><maml:description><maml:para>Gets one or more Active Directory Domain Services authentication policy silos.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADAuthenticationPolicySilo</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADAuthenticationPolicySilo cmdlet gets an authentication policy silo or performs a search to get authentication policy silos. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy silo to get. You can identify an authentication policy silo by its distinguished name (DN), GUID or name. You can also use the Identity parameter to specify a variable that contains an authentication policy silo object, or you can use the pipeline operator to pass an authentication policy silo object to the Identity parameter.</maml:para><maml:para>You can search for and use multiple authentication policies by specifying the Filter parameter or the LDAPFilter parameter. The Filter parameter uses the Windows PowerShell® expression language to write query strings for Active Directory Domain Services. Windows PowerShell expression language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADAuthenticationPolicySilo</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default value is 256 objects per page. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to get all of the objects, set this parameter to $Null. You can use Ctrl+C to stop the query and the return of objects. </maml:para><maml:para>The default value is $Null. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory Domain Services objects. This string uses the Windows PowerShell expression language syntax. The Windows PowerShell expression language syntax provides rich type-conversion support for value types received by the Filter parameter. </maml:para><maml:para>Specify the Filter parameter in one of the following formats: --To match a single filter element: {Attributeoperator "value"} --To match multiple filter elements: {(Attribute1operator1 "value1") joinOperator (Attribute2operator2 "value2")}</maml:para><maml:para>Windows PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax.</maml:para><maml:para>Valid filter operators are: -eq, -le, -ge, -ne, -lt, -gt, -approx, -bor, -band, -recursivematch, -like, -notlike </maml:para><maml:para>Valid join operators are: -and, -or </maml:para><maml:para>The not operator is -not </maml:para><maml:para>For a list of supported types for values, see about_ActiveDirectory_ObjectModel. For more information about the Filter parameter, see about_ActiveDirectory_Filter.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADAuthenticationPolicySilo</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADAuthenticationPolicySilo</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default value is 256 objects per page. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to get all of the objects, set this parameter to $Null. You can use Ctrl+C to stop the query and the return of objects. </maml:para><maml:para>The default value is $Null. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string used to filter Active Directory Domain Services objects. Use this parameter to run your existing LDAP queries. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory Domain Services objects. This string uses the Windows PowerShell expression language syntax. The Windows PowerShell expression language syntax provides rich type-conversion support for value types received by the Filter parameter. </maml:para><maml:para>Specify the Filter parameter in one of the following formats: --To match a single filter element: {Attributeoperator "value"} --To match multiple filter elements: {(Attribute1operator1 "value1") joinOperator (Attribute2operator2 "value2")}</maml:para><maml:para>Windows PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax.</maml:para><maml:para>Valid filter operators are: -eq, -le, -ge, -ne, -lt, -gt, -approx, -bor, -band, -recursivematch, -like, -notlike </maml:para><maml:para>Valid join operators are: -and, -or </maml:para><maml:para>The not operator is -not </maml:para><maml:para>For a list of supported types for values, see about_ActiveDirectory_ObjectModel. For more information about the Filter parameter, see about_ActiveDirectory_Filter.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string used to filter Active Directory Domain Services objects. Use this parameter to run your existing LDAP queries. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to get from the server. Use this parameter to get properties that are not included in the default set. </maml:para><maml:para>Specify the properties to get as a comma separated list of names. For properties that are not default or extended properties, you must specify the LDAP display name of the property. To display all of the properties that are set on the object, specify an asterisk wildcard.</maml:para><maml:para>To get properties for an object and display them, you can use this cmdlet and pass the output to the <maml:navigationLink><maml:linkText>Get-Member</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet by using the pipeline operator. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default value is 256 objects per page. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to get all of the objects, set this parameter to $Null. You can use Ctrl+C to stop the query and the return of objects. </maml:para><maml:para>The default value is $Null. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicySilo</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an authentication policy silo object. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAuthenticationPolicySilo</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more authentication policy silo objects. This cmdlet returns a default set of ADAuthenticationPolicySilo property values. To retrieve additional ADAuthenticationPolicySilo properties, use the Properties parameter.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Get an authentication policy silo object</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADAuthenticationPolicySilo -Identity AuthenticationPolicySilo01 </dev:code><dev:remarks><maml:para>This command gets an authentication policy silo object named AuthenticationPolicySilo01.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Get all authentication policy silo objects that match a filter</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Name -like "*AuthenticationPolicySilo*"' | Format-Table Name, Enforce –AutoSize Name Enforce ---- ------- silo True silos False </dev:code><dev:remarks><maml:para>This command gets all the authentication policy silos that match the filter specified by the Filter parameter. The output is then passed to the Format-Table cmdlet to display the name of the policy and the value for Enforce on each policy.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 3: Get all properties of a specific authentication policy silo</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADAuthenticationPolicySilo -Identity AuthenticationPolicySilo02 -Properties * </dev:code><dev:remarks><maml:para>This command gets all properties for the authentication policy silo named AuthenticationPolicySilo02.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=288159</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADCentralAccessPolicy</command:name><maml:description><maml:para>Retrieves central access policies from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADCentralAccessPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADCentralAccessPolicy cmdlet retrieves central access policies from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADCentralAccessPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADCentralAccessPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADCentralAccessPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADCentralAccessPolicy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more ADCentralAccessPolicy objects. </maml:para><maml:para>The Get-ADCentralAccessPolicy cmdlet returns a default set of ADCentralAccessPolicy property values. To retrieve additional ADCentralAccessPolicy properties, use the Properties parameter of the cmdlet. </maml:para><maml:para>To view the properties for an ADCentralAccessPolicy object, see the following examples. To run these examples, replace <object> with an Active Directory object identifier. </maml:para><maml:para>To get a list of the default set of properties of an ADCentralAccessPolicy object, use the following command: </maml:para><maml:para>Get-ADCentralAccessPolicy <object> </maml:para><maml:para>To get a list of all the properties of an ADCentralAccessPolicy object, use the following command: </maml:para><maml:para>Get-ADCentralAccessPolicy <object> -Properties * </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves a list of all central access policies. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy -Filter {Members -eq 'Finance Documents Rule'} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the central access policies that have the central access rule 'Finance Documents Rule' as its members. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy "Finance Policy" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets information for a central access policy named "Finance Policy". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291017</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADCentralAccessRule</command:name><maml:description><maml:para>Retrieves central access rules from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADCentralAccessRule</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADCentralAccessRule cmdlet retrieves central access rules from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADCentralAccessRule</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADCentralAccessRule</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADCentralAccessRule</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue><dev:type><maml:name>ADCentralAccessRule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicyEntry</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADCentralAccessPolicyEntry object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADCentralAccessRule</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more ADCentralAccessRule objects. </maml:para><maml:para>The Get-ADCentralAccessRule cmdlet returns a default set of ADCentralAccessRule property values. To retrieve additional ADCentralAccessRule properties, use the Properties parameter of the cmdlet. </maml:para><maml:para>To view the properties for an ADCentralAccessRule object, see the following examples. To run these examples, replace <object> with an Active Directory object identifier. </maml:para><maml:para>To get a list of the default set of properties of an ADCentralAccessRule object, use the following command: </maml:para><maml:para>Get-ADCentralAccessRule <object> </maml:para><maml:para>To get a list of all the properties of an ADCentralAccessRule object, use the following command: </maml:para><maml:para>Get-ADCentralAccessRule <object> -Properties * </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessRule -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves a list of all central access rules. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessRule -Filter { ResourceCondition -like "*Department*" } </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve the central access rules that have "Department" in its resource condition. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessRule "Financial Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve a central access rule named "Finance Documents Rule". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291018</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADClaimTransformPolicy</command:name><maml:description><maml:para>Returns one or more Active Directory claim transform objects based on a specified filter.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADClaimTransformPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADClaimTransformPolicy cmdlet returns one or more Active Directory claim transform objects based on a specified filter. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADClaimTransformPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADClaimTransformPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADClaimTransformPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue>All Sites (Filter *)</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A claim transform policy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimTransformPolicy -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves a list of all claims transformation policies. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$contoso = Get-ADTrust "corp.contoso.com"; Get-ADClaimTransformPolicy -Filter {IncomingTrust -eq $contoso -or OutgoingTrust -eq $contoso} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all the claims transformation policies that are applied to trusts made with 'corp.contoso.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimTransformPolicy DenyAllPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the claims transformation policy with the name 'DenyAllPolicy' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimTransformPolicy -LDAPFilter "(name=DenyAll*)" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets information on any claims transformation policies using an LDAP-based query filter that looks for matches where policies have a name that starts with the word "DenyAll". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291019</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADClaimType</command:name><maml:description><maml:para>Returns a claim type from Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADClaimType</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADClaimType cmdlet returns a claim type defined in Active Drectory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADClaimType</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Employee Type,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADClaimType</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Employee Type,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimType -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves a list of all claim types. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimType -Filter {SourceAttribute -eq 'title'} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the claim types that are sourced from the attribute 'title'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimType "Employee Type" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the claim type with display name 'Employee Type'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimType "Employee Type" -Properties * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all properties of the claim type with display name 'Employee Type'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291020</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADComputer</command:name><maml:description><maml:para>Gets one or more Active Directory computers.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADComputer</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers. </maml:para><maml:para>The Identity parameter specifies the Active Directory computer to retrieve. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a computer object variable, such as $<localComputerObject> or pass a computer object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one computer, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet retrieves a default set of computer object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADComputer</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADComputer</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADComputer</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue>Subtree</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more computer objects. </maml:para><maml:para>This Get-ADComputer cmdlet returns a default set of ADComputer property values. To retrieve additional ADComputer properties, use the Properties parameter of this cmdlet. </maml:para><maml:para>To view the properties for an ADComputer object, see the following examples. To run these examples, replace <computer> with a computer identifier such as the SAM account name of your local computer. </maml:para><maml:para>To get a list of the default set of properties of an ADComputer object, use the following command: </maml:para><maml:para>Get-ADComputer <computer>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADComputer object, use the following command: </maml:para><maml:para>Get-ADComputer <computer> -Properties ALL | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS with its default schema. By default AD LDS schema does not have a computer class, but if the schema is extended to include it, this cmdlet will work with LDS. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer "Fabrikam-SRV1" -Properties * AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False BadLogonCount : CannotChangePassword : False CanonicalName : Fabrikam.com/Computers/fabrikam-srv1 Certificates : {} CN : fabrikam-srv1 codePage : 0 countryCode : 0 Created : 3/16/2009 4:15:00 PM createTimeStamp : 3/16/2009 4:15:00 PM Deleted : Description : DisplayName : DistinguishedName : CN=fabrikam-srv1,CN=Computers,DC=Fabrikam, DC=com DNSHostName : DoesNotRequirePreAuth : False dSCorePropagationData : {3/16/2009 4:21:51 PM, 12/31/1600 4:00:01 PM} Enabled : True HomedirRequired : False HomePage : instanceType : 0 IPv4Address : IPv6Address : isCriticalSystemObject : False isDeleted : LastBadPasswordAttempt : LastKnownParent : LastLogonDate : localPolicyFlags : 0 Location : NA/HQ/Building A LockedOut : False ManagedBy : CN=SQL Administrator 01,OU=UserAccounts,OU =Managed,DC=Fabrikam,DC=com MemberOf : {} MNSLogonAccount : False Modified : 3/16/2009 4:23:01 PM modifyTimeStamp : 3/16/2009 4:23:01 PM msDS-User-Account-Control-Computed : 0 Name : fabrikam-srv1 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySe curity ObjectCategory : CN=Computer,CN=Schema,CN=Configuration,DC= Fabrikam,DC=com ObjectClass : computer ObjectGUID : 828306a3-8ccd-410e-9537-e6616662c0b0 objectSid : S-1-5-21-41432690-3719764436-1984117282-11 30 OperatingSystem : OperatingSystemHotfix : OperatingSystemServicePack : OperatingSystemVersion : PasswordExpired : False PasswordLastSet : PasswordNeverExpires : False PasswordNotRequired : False PrimaryGroup : CN=Domain Computers,CN=Users,DC=Fabrikam,D C=com primaryGroupID : 515 ProtectedFromAccidentalDeletion : False pwdLastSet : 0 SamAccountName : fabrikam-srv1$ sAMAccountType : 805306369 sDRightsEffective : 0 ServiceAccount : {} servicePrincipalName : {MSOLAPSVC.3/FABRIKAM-SRV1.FABRIKAM.COM:an alyze, MSSQLSVC/FABRIKAM-SRV1.FABRIKAM.COM :1456} ServicePrincipalNames : {MSOLAPSVC.3/FABRIKAM-SRV1.FABRIKAM.COM:an alyze, MSSQLSVC/FABRIKAM-SRV1.FABRIKAM.COM :1456} SID : S-1-5-21-41432690-3719764436-1984117282-11 30 SIDHistory : {} TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 4096 userCertificate : {} UserPrincipalName : uSNChanged : 36024 uSNCreated : 35966 whenChanged : 3/16/2009 4:23:01 PM whenCreated : 3/16/2009 4:15:00 PM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a specific computer showing all the properties. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer -Filter 'Name -like "Fabrikam*"' -Properties IPv4Address | FT Name,DNSHostName,IPv4Address -A name dnshostname ipv4address ---- ----------- ----------- FABRIKAM-SRV1 FABRIKAM-SRV1.Fabrikam.com 10.194.99.181 FABRIKAM-SRV2 FABRIKAM-SRV2.Fabrikam.com 10.194.100.37 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the computers with a name starting by a particular string and showing the name, dns hostname and IPv4 address. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$d = [DateTime]::Today.AddDays(-90); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet | FT Name,PasswordLastSet Name PasswordLastSet ---- --------------- FABRIKAM-SRV4 3/12/2009 6:40:37 PM FABRIKAM-SRV5 3/12/2009 7:05:45 PM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the computers that have changed their password in the last 90 days. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer -LDAPFilter "(name=*laptop*)" -SearchBase "CN=Computers,DC=Fabrikam,DC=com" name ---- saradavi-laptop jeffpr-laptop </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the computer accounts in the location: "CN=Computers,DC=Fabrikam,DC=com" that are listed as laptops (using an LDAPFilter) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all computer accounts. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291021</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADComputer</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADComputerServiceAccount</command:name><maml:description><maml:para>Gets the service accounts hosted by a computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADComputerServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADComputerServiceAccount cmdlet gets all of the service accounts that are hosted by the specified computer. </maml:para><maml:para>The Computer parameter specifies the Active Directory computer that hosts the service accounts. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Computer parameter to a computer object variable, such as $<localComputerobject>, or pass a computer object through the pipeline to the Computer parameter. For example, you can use the Get-ADComputer cmdlet to retrieve a computer object and then pass the object through the pipeline to the Get-ADComputerServiceAccount cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADComputerServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object is received by the Computer parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more objects that represent the service accounts hosted by the specified computer. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputerServiceAccount -Identity ComputerAcct1 Enabled : True Name : SvcAcct1 UserPrincipalName : SamAccountName : SvcAcct1$ ObjectClass : msDS-ManagedServiceAccount SID : S-1-5-21-159507390-2980359153-3438059098-1104 ObjectGUID : 8d759d66-ef68-4360-aff6-ec3bb3425ac1 HostComputers : {CN=ComputerAcct1,CN=Computers,DC=contoso,DC=com} DistinguishedName : CN=SvcAcct1,CN=Managed Service Accounts,DC=contoso,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the service accounts hosted on a computer account 'ComputerAcct1' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291022</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADDCCloningExcludedApplicationList</command:name><maml:description><maml:para>Returns the list of installed programs and services present on this domain controller that are not in the default or user defined inclusion list. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADDCCloningExcludedApplicationList</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADDCCloningExcludedApplicationList cmdlet searches the local domain controller for programs and services in the installed programs database, the services control manager that are not specified in the default and user defined inclusion list. The applications in the resulting list can be added to the user defined exclusion list if they are determined to support cloning. If the applications are not cloneable, they should be removed from the source domain controller before the clone media is created. Any application that appears in cmdlet output and is not included in the user defined inclusion list will force cloning to fail.</maml:para><maml:para>Once you have granted a source virtualized DC permissions to be cloned, the Get-ADDCCloningExcludedApplicationList cmdlet should be run a first time with no additional parameters on the source virtualized domain controller to identify all programs or services that are to be evaluated for cloning. Next, vet the returned list with your software vendors and remove any applications from the list that cannot be safely cloned. Finally, you can run the Get-ADDCCloningExcludedApplicationList cmdlet again using the –GenerateXml parameter set to create the CustomDCCloneAllowList.xml file.</maml:para><maml:para>The Get-ADDCCloningExcludedApplicationList cmdlet needs to be run before the New-ADDCCloneConfigFile cmdlet is used because if the New-ADDCCloneConfigFile cmdlet detects an excluded application, it will not create a DCCloneConfig.xml file. For more information on virtual domain controller cloning, see the guidance on AD DS virtualization at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=208030</maml:linkText><maml:uri></maml:uri></maml:navigationLink>. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADDCCloningExcludedApplicationList</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>Forces an overwrite of an existing CustomDCCloneAllowList.xml file if one is found to exist at the folder path specified in the -Path parameter.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>The folder path to use when creating the CustomDCCloneAllowList.xml file using the -GenerateXml switch parameter.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GenerateXml</maml:name><maml:description><maml:para>Creates the CustomDCCloneAllowList.xml file and writes it in the location specified using the -Path parameter.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>Forces an overwrite of an existing CustomDCCloneAllowList.xml file if one is found to exist at the folder path specified in the -Path parameter.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GenerateXml</maml:name><maml:description><maml:para>Creates the CustomDCCloneAllowList.xml file and writes it in the location specified using the -Path parameter.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>The folder path to use when creating the CustomDCCloneAllowList.xml file using the -GenerateXml switch parameter.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>ADEntity </maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDCCloningExcludedApplicationList </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Displays the excluded application list to the console. If there is already a CustomDCCloneAllowList.xml, this cmdlet displays the delta of that list compared to the operating system (which may be nothing if the lists match). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Generates the excluded application list as a file named CustomDCCloneAllowList.xml at the specified folder path (C:\Windows\NTDS) and forces overwrite if a file by that name is found to already exist at that path location. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291023</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADDefaultDomainPasswordPolicy</command:name><maml:description><maml:para>Gets the default password policy for an Active Directory domain.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADDefaultDomainPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADDefaultDomainPasswordPolicy cmdlet gets the default password policy for a domain. </maml:para><maml:para>The Identity parameter specifies the Active Directory domain. You can identify a domain by its Distinguished Name (DN), GUID, Security Identifier (SID), DNS domain name, or NETBIOS name. You can also set the parameter to a domain object variable, such as $<localDomainObject> or pass a domain object through the pipeline to the Identity parameter. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADDefaultDomainPasswordPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Current</maml:name><maml:description><maml:para>Specifies whether to return the domain of the local computer or the current logged on user (CLU). Possible values for this parameter are: </maml:para><maml:para>LocalComputer or 0 </maml:para><maml:para>LoggedOnUser or 1 </maml:para><maml:para>The following example shows how to set this parameter to return the domain of the current logged on user. </maml:para><maml:para>-Current LoggedOnUser </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">LocalComputer</command:parameterValue><command:parameterValue required="true" variableLength="false">LoggedOnUser</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADDefaultDomainPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDefaultDomainPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Current</maml:name><maml:description><maml:para>Specifies whether to return the domain of the local computer or the current logged on user (CLU). Possible values for this parameter are: </maml:para><maml:para>LocalComputer or 0 </maml:para><maml:para>LoggedOnUser or 1 </maml:para><maml:para>The following example shows how to set this parameter to return the domain of the current logged on user. </maml:para><maml:para>-Current LoggedOnUser </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCurrentDomainType</command:parameterValue><dev:type><maml:name>ADCurrentDomainType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDefaultDomainPasswordPolicy</command:parameterValue><dev:type><maml:name>ADDefaultDomainPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDefaultDomainPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the default domain password policy object for the specified domain. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the default domain password policy from current logged on user domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDefaultDomainPasswordPolicy -Current LocalComputer </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the default domain password policy from current local computer. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDefaultDomainPasswordPolicy -Identity fabrikam.com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the default domain password policy from a given domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>(Get-ADForest -Current LoggedOnUser).Domains | %{ Get-ADDefaultDomainPasswordPolicy -Identity $_ } </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the default domain password policy objects from all the domains in the forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDefaultDomainPasswordPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the default domain password policy from current logged on user domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291024</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomain</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADDomain</command:name><maml:description><maml:para> Gets an Active Directory domain.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADDomain</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADDomain cmdlet gets the Active Directory domain specified by the parameters. You can specify the domain by setting the Identity or Current parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory domain to get. You can identify the domain object to get by its Distinguished Name (DN), GUID, Security Identifier (SID), DNS domain name, or NetBIOS name. You can also set the parameter to a domain object variable, such as $<localDomainObject> or pass a domain object through the pipeline to the Identity parameter. </maml:para><maml:para>To get the domain of the local computer or current logged on user (CLU) set the Current parameter to LocalComputer or LoggedOnUser. When you set the Current parameter, you do not need to set the Identity parameter. </maml:para><maml:para>When the Current parameter is set to LocalComputer or LogedOnUser, the cmdlet uses the Server and Credential parameters according to the following rules. </maml:para><maml:para>-If both the Server and Credential parameters are not specified: </maml:para><maml:para>--The domain is set to the domain of the LocalComputer or LoggedOnUser and a server is located in this domain. The credentials of the current logged on user are used to get the domain. </maml:para><maml:para>-If the Server parameter is specified and the Credential parameter is not specified: </maml:para><maml:para>--The domain is set to the domain of the specified server and the cmdlet checks to make sure that the server is in the domain of the LocalComputer or LoggedOnUser. Then the credentials of the current logged on user are used to get the domain. An error is returned when the server is not in the domain of the LocalComputer or LoggedOnUser. </maml:para><maml:para>-If the Server parameter is not specified and the Credential parameter is specified: </maml:para><maml:para>--The domain is set to the domain of the LocalComputer or LoggedOnUser and a server is located in this domain. Then the credentials specified by the Credential parameter are used to get the domain. </maml:para><maml:para>If the Server and Credential parameters are specified: </maml:para><maml:para>The domain is set to the domain of the specified server and the cmdlet checks to make sure that the server is in the domain of the LocalComputer or LoggedOnUser. Then the credentials specified by the Credential parameter are used to get the domain. An error is returned when the server is not in the domain of the LocalComputer or LoggedOnUser. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADDomain</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Current</maml:name><maml:description><maml:para>Specifies whether to return the domain of the local computer or the current logged on user (CLU). Possible values for this parameter are: </maml:para><maml:para>LocalComputer or 0 </maml:para><maml:para>LoggedOnUser or 1 </maml:para><maml:para>The following example shows how to set this parameter to return the domain of the current logged on user. </maml:para><maml:para>-Current LoggedOnUser </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">LocalComputer</command:parameterValue><command:parameterValue required="true" variableLength="false">LoggedOnUser</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADDomain</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Current</maml:name><maml:description><maml:para>Specifies whether to return the domain of the local computer or the current logged on user (CLU). Possible values for this parameter are: </maml:para><maml:para>LocalComputer or 0 </maml:para><maml:para>LoggedOnUser or 1 </maml:para><maml:para>The following example shows how to set this parameter to return the domain of the current logged on user. </maml:para><maml:para>-Current LoggedOnUser </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCurrentDomainType</command:parameterValue><dev:type><maml:name>ADCurrentDomainType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue><dev:type><maml:name>ADDomain</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more domain objects. </maml:para><maml:para>The cmdlet returns all of the properties of the domain. To view all of the properties for an ADDomain object, use the following command and replace <domain> with a domain controller identifier such as a DNS host name. </maml:para><maml:para>Get-ADDomain <domain>| Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomain fabrikam.com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the domain information for the domain 'fabrikam.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomain -Current LocalComputer </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the domain information of the current local computer domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomain -Current LoggedOnUser </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the domain information for the domain of the currently logged on user. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomain AllowedDNSSuffixes : {} ChildDomains : {} ComputersContainer : CN=Computers,DC=Fabrikam,DC=com DeletedObjectsContainer : CN=Deleted Objects,DC=Fabrikam,DC=com DistinguishedName : DC=Fabrikam,DC=com DNSRoot : Fabrikam.com DomainControllersContainer : OU=Domain Controllers,DC=Fabrikam,DC=com DomainMode : Windows2003Domain DomainSID : S-1-5-21-41432690-3719764436-1984117282 ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=com Forest : Fabrikam.com InfrastructureMaster : Fabrikam-DC1.Fabrikam.com LastLogonReplicationInterval : LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Fabrikam,DC=com} LostAndFoundContainer : CN=LostAndFound,DC=Fabrikam,DC=com ManagedBy : Name : Fabrikam NetBIOSName : FABRIKAM ObjectClass : domainDNS ObjectGUID : b63b4f44-58b9-49cf-8911-b36e8575d5eb ParentDomain : PDCEmulator : Fabrikam-DC1.Fabrikam.com QuotasContainer : CN=NTDS Quotas,DC=Fabrikam,DC=com ReadOnlyReplicaDirectoryServers : {CSD2722780.Fabrikam.com} ReplicaDirectoryServers : {Fabrikam-DC1.Fabrikam.com} RIDMaster : Fabrikam-DC1.Fabrikam.com SubordinateReferences : {DC=ForestDnsZones,DC=Fabrikam,DC=com, DC=DomainDnsZones,DC=Fabrikam,DC=com, CN=Co nfiguration,DC=Fabrikam,DC=com} SystemsContainer : CN=System,DC=Fabrikam,DC=com UsersContainer : CN=Users,DC=Fabrikam,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the domain information for the domain of the currently logged on user. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291025</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADDomain</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADDomainMode</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADDomainController</command:name><maml:description><maml:para>Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADDomainController</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADDomainController cmdlet gets the domain controllers specified by the parameters. You can get domain controllers by setting the Identity, Filter or Discover parameters. </maml:para><maml:para>The Identity parameter specifies the domain controller to get. You can identify a domain controller by its GUID, IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server object under the configuration partition, or the DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as $<localDomainControllerObject>, or pass a domain controller object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one domain controller, use the Filter parameter. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. You cannot use an LDAP query string with this cmdlet. </maml:para><maml:para>To get a domain controller by using the discovery mechanism of DCLocator, use the Discover parameter. You can provide search criteria by setting parameters such as Service, SiteName, DomainName, NextClosestSite, AvoidSelf, and ForceDiscover. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADDomainController</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain controller object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. Unless specified otherwise, these values are for the server object that represents the domain controller. </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>IPV4Address </maml:para><maml:para>Example:157.59.132.61 </maml:para><maml:para>Global IPV6Address </maml:para><maml:para>Example: 2001:4898:0:fff:200:5efe:157.59.132.61 </maml:para><maml:para>DNS Host Name (dNSHostName) </maml:para><maml:para>Example: corp-DC01.corp.contoso.com </maml:para><maml:para>Name of the server object </maml:para><maml:para>Example: corp-DC01$ </maml:para><maml:para>Distinguished Name of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name of the server object that represents the domain controller </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 68adaf21-e28d-6012-bca8-320d93450ab0 </maml:para><maml:para>GUID of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Distinguished Name of the computer object that represents the domain controller. </maml:para><maml:para>Example: CN=CORP-DC12,OU=Domain Controllers,DC=corp,DC=contoso,DC=com </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name of the NTDS Settings object. </maml:para><maml:para>-Identity "CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso" </maml:para><maml:para>This example shows how to set this parameter to a domain controller object instance named "AD_DCInstance". </maml:para><maml:para>-Identity $AD_DCInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomainController</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADDomainController</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AvoidSelf</maml:name><maml:description><maml:para>Specifies to not return the current computer as a domain controller. If the current computer is not a domain controller, this parameter is ignored. You can specify this parameter when you want to get the name of another domain controller in the domain. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-AvoidSelf </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DomainName</maml:name><maml:description><maml:para>Specifies the domain to search. The cmdlet locates a discoverable domain controller in this domain. Specify the domain by using the NetBIOS name or Fully Qualified Domain Name (FQDN) of the domain. </maml:para><maml:para>The following example shows how to set this parameter to the FQDN of a domain. </maml:para><maml:para>-DomainName "contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ForceDiscover</maml:name><maml:description><maml:para>Forces the cmdlet to clear any cached domain controller information and perform a new discovery. If this parameter is not specified the cmdlet may return cached domain controller information. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ForceDiscover </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinimumDirectoryServiceVersion</maml:name><maml:description><maml:para>Species the earliest operating system that the domain controller can have so that it is returned by the cmdlet when getting a DC using -Discover switch. Possible values are: </maml:para><maml:para>Windows2000 or 1 </maml:para><maml:para>Windows2008 or 2 </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinimumDirectoryServiceVersion Windows2000 </maml:para><maml:para>The following example shows how to get any live DC that is Windows 2008 or above: </maml:para><maml:para>Get-ADDomainController -Discover -MinimumDirectoryServiceVersion Windows2008 </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Windows2000</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2008</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2012</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2012R2</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>NextClosestSite</maml:name><maml:description><maml:para>Specifies to return a domain controller in the next closest site when a domain controller is not found in the site that contains the client. The next closest site is the site with the lowest site link cost with respect to the current site. Costs between sites are based on factors such as bandwidth, as well as physical proximity. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-NextClosestSite </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Service</maml:name><maml:description><maml:para>Species the types of domain controllers to get. You can specify more than one type by using a comma-separated list. Possible values for this parameter are: </maml:para><maml:para>PrimaryDC or 1 </maml:para><maml:para>GlobalCatalog or 2 </maml:para><maml:para>KDC or 3 </maml:para><maml:para>TimeService or 4 </maml:para><maml:para>ReliableTimeService or 5 </maml:para><maml:para>ADWS or 6 </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Service GlobalCatalog, KDC </maml:para><maml:para>The following example shows how to get a live DC that has Web Services enabled: </maml:para><maml:para>Get-ADDomainController -Discover -Services ADWS </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="true">ADWS</command:parameterValue><command:parameterValue required="true" variableLength="true">GlobalCatalog</command:parameterValue><command:parameterValue required="true" variableLength="true">KDC</command:parameterValue><command:parameterValue required="true" variableLength="true">PrimaryDC</command:parameterValue><command:parameterValue required="true" variableLength="true">ReliableTimeService</command:parameterValue><command:parameterValue required="true" variableLength="true">TimeService</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of a site to search in to find the domain controller. If this parameter is not set, the cmdlet searches for domain controllers in the same site as the client. The name of the site is defined by the Name property of the site object. </maml:para><maml:para>The following example shows how to use this parameter to specify a site. </maml:para><maml:para>-SiteName "redmond" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Writable</maml:name><maml:description><maml:para>Specifies whether or not this is a writable domain controller. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Discover</maml:name><maml:description><maml:para>Specifies to return a discoverable domain controller that meets the conditions specified by the cmdlet parameters. </maml:para><maml:para>To get a domain controller by using the discovery mechanism of DCLocator, use the Discover parameter. Along with this parameter, you can provide search criteria by setting parameters such as Service, SiteName, DomainName, NextClosestSite, AvoidSelf, and ForceDiscover. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Discover </maml:para><maml:para>The following example shows how to get a live DC that has Web Services enabled in a specific site with name "RODC-Site". </maml:para><maml:para>Get-ADDomainController -Discover -Services ADWS -SiteName RODC-Site </maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADDomainController</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AvoidSelf</maml:name><maml:description><maml:para>Specifies to not return the current computer as a domain controller. If the current computer is not a domain controller, this parameter is ignored. You can specify this parameter when you want to get the name of another domain controller in the domain. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-AvoidSelf </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Discover</maml:name><maml:description><maml:para>Specifies to return a discoverable domain controller that meets the conditions specified by the cmdlet parameters. </maml:para><maml:para>To get a domain controller by using the discovery mechanism of DCLocator, use the Discover parameter. Along with this parameter, you can provide search criteria by setting parameters such as Service, SiteName, DomainName, NextClosestSite, AvoidSelf, and ForceDiscover. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Discover </maml:para><maml:para>The following example shows how to get a live DC that has Web Services enabled in a specific site with name "RODC-Site". </maml:para><maml:para>Get-ADDomainController -Discover -Services ADWS -SiteName RODC-Site </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DomainName</maml:name><maml:description><maml:para>Specifies the domain to search. The cmdlet locates a discoverable domain controller in this domain. Specify the domain by using the NetBIOS name or Fully Qualified Domain Name (FQDN) of the domain. </maml:para><maml:para>The following example shows how to set this parameter to the FQDN of a domain. </maml:para><maml:para>-DomainName "contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue>Name of the domain to which this machine is joined</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ForceDiscover</maml:name><maml:description><maml:para>Forces the cmdlet to clear any cached domain controller information and perform a new discovery. If this parameter is not specified the cmdlet may return cached domain controller information. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ForceDiscover </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain controller object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. Unless specified otherwise, these values are for the server object that represents the domain controller. </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>IPV4Address </maml:para><maml:para>Example:157.59.132.61 </maml:para><maml:para>Global IPV6Address </maml:para><maml:para>Example: 2001:4898:0:fff:200:5efe:157.59.132.61 </maml:para><maml:para>DNS Host Name (dNSHostName) </maml:para><maml:para>Example: corp-DC01.corp.contoso.com </maml:para><maml:para>Name of the server object </maml:para><maml:para>Example: corp-DC01$ </maml:para><maml:para>Distinguished Name of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name of the server object that represents the domain controller </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 68adaf21-e28d-6012-bca8-320d93450ab0 </maml:para><maml:para>GUID of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Distinguished Name of the computer object that represents the domain controller. </maml:para><maml:para>Example: CN=CORP-DC12,OU=Domain Controllers,DC=corp,DC=contoso,DC=com </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name of the NTDS Settings object. </maml:para><maml:para>-Identity "CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso" </maml:para><maml:para>This example shows how to set this parameter to a domain controller object instance named "AD_DCInstance". </maml:para><maml:para>-Identity $AD_DCInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomainController</command:parameterValue><dev:type><maml:name>ADDomainController</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinimumDirectoryServiceVersion</maml:name><maml:description><maml:para>Species the earliest operating system that the domain controller can have so that it is returned by the cmdlet when getting a DC using -Discover switch. Possible values are: </maml:para><maml:para>Windows2000 or 1 </maml:para><maml:para>Windows2008 or 2 </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinimumDirectoryServiceVersion Windows2000 </maml:para><maml:para>The following example shows how to get any live DC that is Windows 2008 or above: </maml:para><maml:para>Get-ADDomainController -Discover -MinimumDirectoryServiceVersion Windows2008 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADMinimumDirectoryServiceVersion</command:parameterValue><dev:type><maml:name>ADMinimumDirectoryServiceVersion</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>NextClosestSite</maml:name><maml:description><maml:para>Specifies to return a domain controller in the next closest site when a domain controller is not found in the site that contains the client. The next closest site is the site with the lowest site link cost with respect to the current site. Costs between sites are based on factors such as bandwidth, as well as physical proximity. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-NextClosestSite </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Service</maml:name><maml:description><maml:para>Species the types of domain controllers to get. You can specify more than one type by using a comma-separated list. Possible values for this parameter are: </maml:para><maml:para>PrimaryDC or 1 </maml:para><maml:para>GlobalCatalog or 2 </maml:para><maml:para>KDC or 3 </maml:para><maml:para>TimeService or 4 </maml:para><maml:para>ReliableTimeService or 5 </maml:para><maml:para>ADWS or 6 </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Service GlobalCatalog, KDC </maml:para><maml:para>The following example shows how to get a live DC that has Web Services enabled: </maml:para><maml:para>Get-ADDomainController -Discover -Services ADWS </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADDiscoverableService[]</command:parameterValue><dev:type><maml:name>ADDiscoverableService[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of a site to search in to find the domain controller. If this parameter is not set, the cmdlet searches for domain controllers in the same site as the client. The name of the site is defined by the Name property of the site object. </maml:para><maml:para>The following example shows how to use this parameter to specify a site. </maml:para><maml:para>-SiteName "redmond" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue>Name of the site that the client is in</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Writable</maml:name><maml:description><maml:para>Specifies whether or not this is a writable domain controller. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain controller object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more domain controller objects. </maml:para><maml:para>When you use the Discover parameter to get a domain controller, the cmdlet returns a default set of property values for each domain controller. </maml:para><maml:para>When you use the Identity or Filter parameters to get a domain controller, this cmdlet returns all of the properties of the domain controller. </maml:para><maml:para>To view all of the properties for an ADDomainController object, use the following command and replace <domaincontroller> with a domain controller identifier such as a DNS host name. </maml:para><maml:para>Get-ADDomainController <domaincontroller>| Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>The Name and HostName properties of the ADDomainController objects returned by the cmdlet are set according to the following rule: </maml:para><maml:para>- If the Discover parameter is used, HostName is the Fully Qualified Domain Name of the Domain Controller, and the Name is the NetBIOS name of the Domain Controller. With the Discover parameter, the cmdlet will perform a second DCLocator call, to populate the Name property. This property will not be set, to the NetBIOS name of the Domain Controller, if the WINS service is unavailable. </maml:para><maml:para>- If the Identity or the Filter parameter is used, HostName is the DNSHostName attribute of the Domain Controller object, and the Name is the Name (RDN) attribute of the Domain Controller object. With the Identity or the Filter parameter, the HostName property will not be set, if the DNSHostName attribute of the Domain Controller object is null. </maml:para><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover -Site "Default-First-Site-Name" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get one available DC in a given site using Discovery. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover -Site "Default-First-Site-Name" -ForceDiscover </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Force discover/find one available DC in a given site. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover -Service "GlobalCatalog" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a global catalog in the current forest using Discovery. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover -Service 2 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a global catalog in the current forest using Discovery. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get one available DC in the current domain using Discovery. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover -Domain "fabrikam.com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get one available DC in a given domain using Discovery. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 7 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Discover -Domain "corp.contoso.com" -Service "PrimaryDC","TimeService" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the PDC using Discovery and make sure that is advertising as a time server. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 8 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Identity "PDC-01" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a domain controller using its NetBIOS name. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 9 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController "PDC-01" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a domain controller using its NetBIOS name. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 10 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Identity "TK5-CORP-DC-10.fabrikam.com" -Server "fabrikam.com" -Credential "corp\administrator" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a domain controller using its DNS host name, in a given domain (specified in Server parameter) and specifying administrator credentials. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 11 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Identity "168.54.62.57" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a domain controller using its IP address. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 12 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Filter { isGlobalCatalog -eq $true -and Site -eq "Default-First-Site-Name" } </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all global catalogs in a given site. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 13 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Server "research.fabrikam.com" -Filter { isGlobalCatalog -eq $true -and isReadOnly -eq $true } </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all ROGCs in the child domain to which the client is connected. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 14 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the domain controller in the user's current session. This is the domain controller used as a default Server in the context of an AD Provider. Using this cmdlet in this way will let you know which Server is being used by default. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 15 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$allDCs = (Get-ADForest).Domains | %{ Get-ADDomainController –Filter * -Server $_ } </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets a list of all of the domain controllers for all the domains within a forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291026</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADDomainControllerPasswordReplicationPolicy</command:name><maml:description><maml:para>Gets the members of the allowed list or denied list of a read-only domain controller's password replication policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADDomainControllerPasswordReplicationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADDomainControllerPasswordReplicationPolicy gets the users, computers, service accounts and groups that are members of the applied list or denied list for a read-only domain controller's (RODC) password replication policy. To get the members of the applied list, specify the AppliedList parameter. To get the members of the denied list, specify the DeniedList parameter. </maml:para><maml:para>The Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. You can identify a domain controller by its GUID, IPV4Address, IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server object under the configuration partition, or the DN of the computer object that represents the domain controller. </maml:para><maml:para>You can also set the Identity parameter to a domain controller object variable, such as $<localDomainControllerobject>, or pass a domain controller object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController cmdlet to retrieve a domain controller object and then pass the object through the pipeline to the Get-ADDomainControllerPasswordReplicationPolicy cmdlet. </maml:para><maml:para>If you specify a writeable domain controller for this cmdlet, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADDomainControllerPasswordReplicationPolicy</maml:name></command:syntaxItem></command:syntax><command:parameters></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain controller object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more objects that represent the users, computers, service accounts and groups that are members of the applied list or denied list of the domain controller password replication policy. The list returned depends on the parameters specified. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -Allowed | ft Name,ObjectClass </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get from an RODC domain controller password replication policy the allowed accounts showing the name and object class of each </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Filter {IsReadOnly -eq $true} | Get-ADDomainControllerPasswordReplicationPolicy -Allowed DistinguishedName : CN=Allowed RODC Password Replication Group,CN=Users,DC=Fabrikam,DC=com Name : Allowed RODC Password Replication Group ObjectClass : group ObjectGUID : 239b0470-7f49-472d-8fcb-4911e90b2c5e SamAccountName : Allowed RODC Password Replication Group SID : S-1-5-21-41432690-3719764436-1984117282-571 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the password replcation policy allowed lists from all RODCs in the domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291027</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADDomainControllerPasswordReplicationPolicyUsage</command:name><maml:description><maml:para>Gets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADDomainControllerPasswordReplicationPolicyUsage</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADDomainControllerPasswordReplicationPolicyUsage cmdlet gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list. </maml:para><maml:para>To get accounts that are authenticated by the RODC, use the AuthenticatedAccounts parameter. To get the accounts that have passwords stored on the RODC, use the RevealedAccounts parameter. </maml:para><maml:para>The Identity parameter specifies the RODC. You can identify a domain controller by its GUID, IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object of the server object, the GUID of the NTDS settings object of the server object under the configuration partition, or the DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as $<localDomainControllerobject>, or pass a domain controller object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController cmdlet to retrieve a domain controller object and then pass the object through the pipeline to the Get-ADDomainControllerPasswordReplicationPolicyUsage cmdlet. If you specify a writeable domain controller for this cmdlet, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADDomainControllerPasswordReplicationPolicyUsage</maml:name></command:syntaxItem></command:syntax><command:parameters></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain controller object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more account objects that represent the users, computers, and service accounts that are authenticated by the specified read-only domain controller (RODC) or that have passwords that are stored on the RODC. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "FABRIKAM-RODC1" -AuthenticatedAccounts | ft Name,ObjectClass -A </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the authenticated accounts for a given RODC showing the name and object class of each </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "FABRIKAM-RODC1" -RevealedAccounts | ft Name,ObjectClass -A </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the revealed accounts for a given RODC showing the name and object class of each account returned. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Filter {IsReadOnly -eq $true} | Get-ADDomainControllerPasswordReplicationPolicyUsage DistinguishedName : CN=krbtgt_35512,CN=Users,DC=Fabrikam,DC=com Enabled : False Name : krbtgt_35512 ObjectClass : user ObjectGUID : 8c7268f9-add3-409c-968b-de029e517211 SamAccountName : krbtgt_35512 SID : S-1-5-21-41432690-3719764436-1984117282-1106 UserPrincipalName : DistinguishedName : CN=CSD2722780,OU=Domain Controllers,DC=Fabrikam,DC=com Enabled : True Name : CSD2722780 ObjectClass : computer ObjectGUID : 63a5e005-e01f-4fc9-ae71-9d9367f808bc SamAccountName : CSD2722780$ SID : S-1-5-21-41432690-3719764436-1984117282-1105 UserPrincipalName : </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the list of accounts cached across all RODCs in the domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291028</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomainController</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADFineGrainedPasswordPolicy</command:name><maml:description><maml:para>Gets one or more Active Directory fine grained password policies.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADFineGrainedPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADFineGrainedPasswordPolicy cmdlet gets a fine grained password policy or performs a search to retrieve multiple fine grained password policies. </maml:para><maml:para>The Identity parameter specifies the Active Directory fine grained password policy to get. You can identify a fine grained password policy by its distinguished name (DN), GUID or name. You can also set the parameter to a fine grained password policy object variable, such as $<localFineGrainedPasswordPolicyObject> or pass a fine grained password policy object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one fine grained password policies, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet retrieves a default set of fine grained password policy object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for FineGrainedPasswordPolicy objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine grained password policy is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more fine grained password policy objects. </maml:para><maml:para>This cmdlet returns a default set of ADFineGrainedPasswordPolicy property values. To retrieve additional ADFineGrainedPasswordPolicy properties, use the Properties parameter. </maml:para><maml:para>To view the properties for an ADFineGrainedPasswordPolicy object, see the following examples. To run these examples, replace <fine grained password policy> with a fine grained password policy identifier such as the name of your local fine grained password policy. </maml:para><maml:para>To get a list of the default set of properties of an ADFineGrainedPasswordPolicy object, use the following command: </maml:para><maml:para>Get-ADFineGrainedPasswordPolicy <fine grained password policy>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADFineGrainedPasswordPolicy object, use the following command: </maml:para><maml:para>Get-ADFineGrainedPasswordPolicy <fine grained password policy> -Properties * | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicy -Filter {Name -like "*"} | ft Name, Precedence,MaxPasswordAge,MinPasswordLength -A Name Precedence MaxPasswordAge MinPasswordLength ---- ---------- -------------- ----------------- DomainUsersPSO 500 60.00:00:00 8 SvcAccPSO 100 30.00:00:00 20 AdminsPSO 200 15.00:00:00 10 DlgtdAdminsPSO 300 20.00:00:00 10 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicy AdminsPSO Name : AdminsPSO ComplexityEnabled : True LockoutThreshold : 0 ReversibleEncryptionEnabled : True LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 MinPasswordLength : 10 Precedence : 200 ObjectGUID : ba1061f0-c947-4018-a399-6ad8897d26e3 ObjectClass : msDS-PasswordSettings PasswordHistoryCount : 24 MinPasswordAge : 1.00:00:00 MaxPasswordAge : 15.00:00:00 AppliesTo : {} DistinguishedName : CN=AdminsPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the Fine Grained Password Policy named 'AdminsPSO'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicy 'CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM' -Properties * msDS-LockoutDuration : -18000000000 msDS-PasswordSettingsPrecedence : 300 ObjectCategory : CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=FABRIKAM,DC=COM DistinguishedName : CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM ExpireOn : msDS-MinimumPasswordAge : -864000000000 dSCorePropagationData : {12/31/1600 4:00:00 PM} msDS-LockoutThreshold : 0 Description : The Delegated Administrators Password Policy LockoutThreshold : 0 instanceType : 4 msDS-PasswordComplexityEnabled : True MaxPasswordAge : 20.00:00:00 whenCreated : 8/15/2008 12:47:43 AM Name : DlgtdAdminsPSO ObjectClass : msDS-PasswordSettings ReversibleEncryptionEnabled : True msDS-PasswordReversibleEncryptionEnabled : True Dynamic : False LockoutDuration : 00:30:00 msDS-PSOAppliesTo : {CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM, CN=Bob Kelly,OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM} DisplayName : Delegated Administrators PSO uSNCreated : 16395 Modified : 8/20/2008 12:21:15 AM MinPasswordAge : 1.00:00:00 ProtectedFromAccidentalDeletion : False Created : 8/15/2008 12:47:43 AM sDRightsEffective : 15 ComplexityEnabled : True PasswordHistoryCount : 24 msDS-MaximumPasswordAge : -17280000000000 MinPasswordLength : 10 Precedence : 300 ObjectGUID : 75cf8c7a-9c93-4e81-b611-851803372cb2 msDS-MinimumPasswordLength : 10 Deleted : Orphaned : False CN : DlgtdAdminsPSO LastKnownParent : CanonicalName : FABRIKAM.COM/System/Password Settings Container/DlgtdAdminsPSO modifyTimeStamp : 8/20/2008 12:21:15 AM msDS-LockoutObservationWindow : -18000000000 LockoutObservationWindow : 00:30:00 whenChanged : 8/20/2008 12:21:15 AM createTimeStamp : 8/15/2008 12:47:43 AM msDS-PasswordHistoryLength : 24 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity AppliesTo : {CN=JeffPrice,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM, CN=GlenJohn,OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM} uSNChanged : 72719 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the properties for the Fine Grained Password Policy with DistinguishedName 'CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicy -Filter {name -like "*admin*"} AppliesTo : {CN=GlenJohn,CN=Users,DC=Fabrikam,DC=com, CN=JeffPrice,CN=Users,DC=Fabrikam,DC=com, CN=Administrator,CN=Users,DC=Fabrikam,DC=com} ComplexityEnabled : True DistinguishedName : CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=Fabrikam,DC=com LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 LockoutThreshold : 0 MaxPasswordAge : 42.00:00:00 MinPasswordAge : 1.00:00:00 MinPasswordLength : 7 Name : DlgtdAdminsPSO ObjectClass : msDS-PasswordSettings ObjectGUID : b7de4e6e-c291-4ce6-bb47-6bf8f807df53 PasswordHistoryCount : 24 Precedence : 100 ReversibleEncryptionEnabled : True </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the Fine Grained Password Policy object that have a name that begins with admin. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291029</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADFineGrainedPasswordPolicySubject</command:name><maml:description><maml:para>Gets the users and groups to which a fine grained password policy is applied.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADFineGrainedPasswordPolicySubject</command:noun><dev:version /></command:details><maml:description><maml:para>The Get- ADFineGrainedPasswordPolicySubject cmdlet gets users and groups that are subject to a fine grained password policy. </maml:para><maml:para>The Identity parameter specifies the fine grained password policy. You can identify a fine grained password policy by its distinguished name, GUID or name. You can also set the Identity parameter to a fine grained password policy object variable, such as $<localPasswordPolicyObject>, or pass a fine grained password policy object through the pipeline to the Identity parameter. For example, you can use the Get-ADFineGrainedPasswordPolicy cmdlet to retrieve a fine grained password policy object and then pass the object through the pipeline to the Get- ADFineGrainedPasswordPolicySubject cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADFineGrainedPasswordPolicySubject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine grained password policy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns principal objects that represent the users and groups to which the fine grained password policy is applied. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicySubject -Identity DomainUsersPSO | FT Name,ObjectClass,DistinguishedName -AutoSize Name ObjectClass DistinguishedName ---- ----------- ----------------- Domain Users group CN=Domain Users,CN=Users,DC=FABRIKAM,DC=COM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the Fine Grained Password Policy subject of the Password Policy named 'DomainUsersPSO'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291030</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADForest</command:name><maml:description><maml:para>Gets an Active Directory forest.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADForest</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADForest cmdlet gets the Active Directory forest specified by the parameters. You can specify the forest by setting the Identity or Current parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory forest to get. You can identify a forest by its fully qualified domain name (FQDN), DNS host name, or NetBIOS name. You can also set the parameter to a forest object variable, such as $<localForestObject> or you can pass a forest object through the pipeline to the Identity parameter. </maml:para><maml:para>To retrieve the forest of the local computer or current logged on user (CLU) set the Current parameter to LocalComputer or LoggedOnUser. When you set the Current parameter, you do not need to set the Identity parameter. </maml:para><maml:para>When the Current parameter is set to LocalComputer or LoggedOnUser, the cmdlet uses the Server and Credential parameter values to determine the domain and the credentials to use to identify the domain of the forest according to the following rules. </maml:para><maml:para>-If both the Server and Credential parameters are not specified: </maml:para><maml:para>--The domain is set to the domain of the LocalComputer or LoggedOnUser and a server is located in this domain. The credentials of the current logged on user are used to get the domain. </maml:para><maml:para>-If the Server parameter is specified and the Credential parameter is not specified: </maml:para><maml:para>--The domain is set to the domain of the specified server and the cmdlet checks to make sure that the server is in the domain of the LocalComputer or LoggedOnUser. Then the credentials of the current logged on user are used to get the domain. An error is returned when the server is not in the domain of the LocalComputer or LoggedOnUser. </maml:para><maml:para>-If the Server parameter is not specified and the Credential parameter is specified: </maml:para><maml:para>--The domain is set to the domain of the LocalComputer or LoggedOnUser and a server is located in this domain. Then the credentials specified by the Credential parameter are used to get the domain. </maml:para><maml:para>If the Server and Credential parameters are specified: </maml:para><maml:para>The domain is set to the domain of the specified server and the cmdlet checks to make sure that the server is in the domain of the LocalComputer or LoggedOnUser. Then the credentials specified by the Credential parameter are used to get the domain. An error is returned when the server is not in the domain of the LocalComputer or LoggedOnUser. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADForest</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Current</maml:name><maml:description><maml:para>Specifies whether to return the domain of the local computer or the current logged on user (CLU). Possible values for this parameter are: </maml:para><maml:para>LocalComputer or 0 </maml:para><maml:para>LoggedOnUser or 1 </maml:para><maml:para>The following example shows how to set this parameter to return the domain of the current logged on user. </maml:para><maml:para>-Current LoggedOnUser </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">LocalComputer</command:parameterValue><command:parameterValue required="true" variableLength="false">LoggedOnUser</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADForest</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory forest object by providing one of the following attribute values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>DNS host name </maml:para><maml:para>Example: dnsServer.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a forest object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to a forest object instance named "forestInstance". </maml:para><maml:para>-Identity $forestInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForest</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Current</maml:name><maml:description><maml:para>Specifies whether to return the domain of the local computer or the current logged on user (CLU). Possible values for this parameter are: </maml:para><maml:para>LocalComputer or 0 </maml:para><maml:para>LoggedOnUser or 1 </maml:para><maml:para>The following example shows how to set this parameter to return the domain of the current logged on user. </maml:para><maml:para>-Current LoggedOnUser </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCurrentForestType</command:parameterValue><dev:type><maml:name>ADCurrentForestType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory forest object by providing one of the following attribute values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>DNS host name </maml:para><maml:para>Example: dnsServer.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a forest object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to a forest object instance named "forestInstance". </maml:para><maml:para>-Identity $forestInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForest</command:parameterValue><dev:type><maml:name>ADForest</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADForest</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A forest object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADForest</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more forest objects. </maml:para><maml:para>This cmdlet returns all of the properties of the forest. To view all of the properties for an ADForest object, use the following command and replace <forest> with a forest identifier such as a DNS host name. </maml:para><maml:para>Get-ADForest <forest>| Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work when targeting a snapshot using the Server parameter. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADForest Fabrikam.com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the forest information of the Fabrikam.com forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADForest -Current LocalComputer </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the forest information of the current local computer's forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADForest -Current LoggedOnUser </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the forest information of the current logged on users's forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADForest ApplicationPartitions : {DC=ForestDnsZones,DC=Fabrikam,DC=com, DC=DomainDnsZones,DC=Fabrikam,DC=com} CrossForestReferences : {CN=northwind,CN=Partitions,CN=Configuration,DC=Fabrikam,DC=com} DomainNamingMaster : Fabrikam-DC1.Fabrikam.com Domains : {Fabrikam.com} ForestMode : Windows2003Forest GlobalCatalogs : {Fabrikam-DC1.Fabrikam.com, CSD2722780.Fabrikam.com} Name : Fabrikam.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=Fabrikam,DC=com RootDomain : Fabrikam.com SchemaMaster : Fabrikam-DC1.Fabrikam.com Sites : {Default-First-Site-Name, UnitedKingdomHQ, BO3, RODC-Site-Name} SPNSuffixes : {} UPNSuffixes : {} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the forest information for the forest of the currently logged on user. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$allDCs = (Get-ADForest).Domains | %{ Get-ADDomainController –Filter * -Server $_ } </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets a list of all the domain controllers for all domain within a forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291031</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADForest</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADForestMode</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADGroup</command:name><maml:description><maml:para>Gets one or more Active Directory groups.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADGroup</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory. </maml:para><maml:para>The Identity parameter specifies the Active Directory group to get. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name, or canonical name. You can also specify group object variable, such as $<localGroupObject>. </maml:para><maml:para>To search for and retrieve more than one group, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet gets a default set of group object properties. To get additional properties use the Properties parameter. For more information about the how to determine the properties for group objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADGroup</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADGroup</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADGroup</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue>Subtree</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more group objects. </maml:para><maml:para>The Get-ADGroup cmdlet returns a default set of ADGroup property values. To retrieve additional ADGroup properties, use the Properties parameter. </maml:para><maml:para>To view the properties for an ADGroup object, see the following examples. To run these examples, replace <group> with a group identifier such as Administrators. </maml:para><maml:para>To get a list of the default set of properties of an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup <group>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup <group> -Properties * | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADGroup administrators DistinguishedName : CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : DomainLocal Name : Administrators ObjectClass : group ObjectGUID : 02ce3874-dd86-41ba-bddc-013f34019978 SamAccountName : Administrators SID : S-1-5-32-544 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the group with samAccountName administrators. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -Identity S-1-5-32-544 -Properties member DistinguishedName : CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : DomainLocal member : {CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com, CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com, CN=LabAdmin,CN=Users,DC=Fabrikam,DC=com, C N=Administrator,CN=Users,DC=Fabrikam,DC=com} Name : Administrators ObjectClass : group ObjectGUID : 02ce3874-dd86-41ba-bddc-013f34019978 SamAccountName : Administrators SID : S-1-5-32-544 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the group with SID S-1-5-32-544 including the additional property member. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -ne "DomainLocal"' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all groups that have a GroupCategory of Security but do not have a GroupScope of DomainLocal. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -server localhost:60000 -filter {GroupScope -eq "DomainLocal"} -SearchBase "DC=AppNC" DistinguishedName : CN=AlphaGroup,OU=AccountDeptOU,DC=AppNC GroupCategory : Security GroupScope : DomainLocal Name : AlphaGroup ObjectClass : group ObjectGUID : 6498c9fb-7c62-48fe-9972-1461f7f3dec2 SID : S-1-510474493-936115905-2475435479-1276657127-1006239422-938965137 DistinguishedName : CN=BranchOffice1,OU=AccountDeptOU,DC=AppNC GroupCategory : Security GroupScope : DomainLocal Name : BranchOffice1 ObjectClass : group ObjectGUID : 0b7504c5-482b-4a73-88f5-8a76960e4568 SID : S-1-510474493-936115905-2534227223-1194883713-3669005192-3746664089 DistinguishedName : CN=AccountLeads,OU=AccountDeptOU,DC=AppNC GroupCategory : Distribution GroupScope : DomainLocal Name : AccountLeads ObjectClass : group ObjectGUID : b20c032b-2de9-401a-b48c-341854a37254 SID : S-1-510474493-936115905-2813670187-1179675302-2001457839-270172950 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the DomainLocal groups from the AppNC partition of the AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291032</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADGroup</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADGroupMember</command:name><maml:description><maml:para>Gets the members of an Active Directory group. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADGroupMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers. </maml:para><maml:para>The Identity parameter specifies the Active Directory group to access. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also specify the group by passing a group object through the pipeline. For example, you can use the Get-ADGroup cmdlet to retrieve a group object and then pass the object through the pipeline to the Get-ADGroupMember cmdlet. </maml:para><maml:para>If the Recursive parameter is specified, the cmdlet gets all members in the hierarchy of the group that do not contain child objects. For example, if the group SaraDavisReports contains the user KarenToh and the group JohnSmithReports, and JohnSmithReports contains the user JoshPollock, then the cmdlet returns KarenToh and JoshPollock. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADGroupMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Recursive</maml:name><maml:description><maml:para>Specifies that the cmdlet get all members in the hierarchy of a group that do not contain child objects. The following example shows a hierarchy for the group SaraDavisReports. </maml:para><maml:para>+SaraDavisReports [group] </maml:para><maml:para>-KarenToh [user] </maml:para><maml:para>-MattHinkLaptop [computer] </maml:para><maml:para>+JohnSmithReports [group] </maml:para><maml:para>-JoshPollock [user] </maml:para><maml:para>-ArmandoPinto [user] </maml:para><maml:para>+JohnSmithComputers [group] </maml:para><maml:para>-JoshComputer [computer] </maml:para><maml:para>If you specify SaraDavisReports as the group and specify the Recursive parameter, the following members and sub-members are returned. </maml:para><maml:para>KarenToh </maml:para><maml:para>MattHinkLaptop </maml:para><maml:para>JoshPollock </maml:para><maml:para>ArmandoPinto </maml:para><maml:para>JoshComputer </maml:para><maml:para>If the specified group does not have any members, then nothing is returned. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Recursive </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Recursive</maml:name><maml:description><maml:para>Specifies that the cmdlet get all members in the hierarchy of a group that do not contain child objects. The following example shows a hierarchy for the group SaraDavisReports. </maml:para><maml:para>+SaraDavisReports [group] </maml:para><maml:para>-KarenToh [user] </maml:para><maml:para>-MattHinkLaptop [computer] </maml:para><maml:para>+JohnSmithReports [group] </maml:para><maml:para>-JoshPollock [user] </maml:para><maml:para>-ArmandoPinto [user] </maml:para><maml:para>+JohnSmithComputers [group] </maml:para><maml:para>-JoshComputer [computer] </maml:para><maml:para>If you specify SaraDavisReports as the group and specify the Recursive parameter, the following members and sub-members are returned. </maml:para><maml:para>KarenToh </maml:para><maml:para>MattHinkLaptop </maml:para><maml:para>JoshPollock </maml:para><maml:para>ArmandoPinto </maml:para><maml:para>JoshComputer </maml:para><maml:para>If the specified group does not have any members, then nothing is returned. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Recursive </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object is received by the Identity parameter </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more principal objects that represent users, computers or groups that are members of the specified group. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work when a group has members located in a different forest, and the forest does not have Active Directory Web Service running. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroupmember cmdlet Get-ADGroupMember at command pipeline position 1 Supply values for the following parameters: (Type !? for Help.) Identity: Administrators distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com name : Domain Admins objectClass : group objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011 SamAccountName : Domain Admins SID : S-1-5-21-41432690-3719764436-1984117282-512 distinguishedName : CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com name : Enterprise Admins objectClass : group objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf SamAccountName : Enterprise Admins SID : S-1-5-21-41432690-3719764436-1984117282-519 distinguishedName : CN=LabAdmin,CN=Users,DC=Fabrikam,DC=com name : LabAdmin objectClass : user objectGUID : ab7c269d-aec5-4fcc-aebe-6cd1a2e6cd53 SamAccountName : LabAdmin SID : S-1-5-21-41432690-3719764436-1984117282-1000 distinguishedName : CN=Administrator,CN=Users,DC=Fabrikam,DC=com name : Administrator objectClass : user objectGUID : 994f46e6-c62c-483f-a6cf-124197b6a959 SamAccountName : Administrator SID : S-1-5-21-41432690-3719764436-1984117282-500 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the members of the administrators groups using the default behavior. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -server localhost:60000 -filter {GroupScope -eq "DomainLocal"} -SearchBase "DC=AppNC" | get-adgroupmember -partition "DC=AppNC" distinguishedName : CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC name : SanjayPatel objectClass : user objectGUID : d671de28-6e40-42a7-b32c-63d336de296d SamAccountName : SID : S-1-510474493-936115905-2231798853-1260534229-4171027843-767619944 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the groups members of all domain local groups in the AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroupmember -Identity administrators distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com name : Domain Admins objectClass : group objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011 SamAccountName : Domain Admins SID : S-1-5-21-41432690-3719764436-1984117282-512 distinguishedName : CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com name : Enterprise Admins objectClass : group objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf SamAccountName : Enterprise Admins SID : S-1-5-21-41432690-3719764436-1984117282-519 distinguishedName : CN=LabAdmin,CN=Users,DC=Fabrikam,DC=com name : LabAdmin objectClass : user objectGUID : ab7c269d-aec5-4fcc-aebe-6cd1a2e6cd53 SamAccountName : LabAdmin SID : S-1-5-21-41432690-3719764436-1984117282-1000 distinguishedName : CN=Administrator,CN=Users,DC=Fabrikam,DC=com name : Administrator objectClass : user objectGUID : 994f46e6-c62c-483f-a6cf-124197b6a959 SamAccountName : Administrator SID : S-1-5-21-41432690-3719764436-1984117282-500 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the group members of the administrators group. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroupmember "Enterprise Admins" -recursive distinguishedName : CN=Administrator,CN=Users,DC=Fabrikam,DC=com name : Administrator objectClass : user objectGUID : 994f46e6-c62c-483f-a6cf-124197b6a959 SamAccountName : Administrator SID : S-1-5-21-41432690-3719764436-1984117282-500 distinguishedName : CN=Sagiv Hadaya,CN=Users,DC=Fabrikam,DC=com name : Sagiv Hadaya objectClass : user objectGUID : 64706230-f179-4fe4-b8c9-f0d334e66ab1 SamAccountName : SHadaya SID : S-1-5-21-41432690-3719764436-1984117282-1158 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the members of the 'Enterprise Admins' group including the members of any child groups. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291033</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADObject</command:name><maml:description><maml:para>Gets one or more Active Directory objects.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADObject cmdlet gets an Active Directory object or performs a search to retrieve multiple objects. </maml:para><maml:para>The Identity parameter specifies the Active Directory object to get. You can identify the object to get by its distinguished name (DN) or GUID. You can also set the parameter to an Active Directory object variable, such as $<localADObject> or pass an object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one object, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet gets a default set of Active Directory object properties. To get additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADObject</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADObject</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue>Subtree</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADObject Derived types, such as the following are also accepted: Microsoft.ActiveDirectory.Management.ADGroup Microsoft.ActiveDirectory.Management.ADUser Microsoft.ActiveDirectory.Management.ADComputer Microsoft.ActiveDirectory.Management.ADServiceAccount Microsoft.ActiveDirectory.Management.ADOrganizationalUnit Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more Active Directory objects. </maml:para><maml:para>The Get-ADObject cmdlet returns a default set of ADObject property values. To retrieve additional ADObject properties, use the Properties parameter of the cmdlet. </maml:para><maml:para>To view the properties for an ADObject object, see the following examples. To run these examples, replace <object> with an Active Directory object identifier. </maml:para><maml:para>To get a list of the default set of properties of an ADObject object, use the following command: </maml:para><maml:para>Get-ADObject <object>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADObject object, use the following command: </maml:para><maml:para>Get-ADObject <object> -Properties ALL | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -LDAPFilter "(objectClass=site)" -SearchBase 'CN=Configuration,DC=Fabrikam,DC=Com' -Properties CanonicalName | FT Name,CanonicalName -A Name CanonicalName ---- ------------- HQ FABRIKAM.COM/Configuration/Sites/HQ BO1 FABRIKAM.COM/Configuration/Sites/BO1 BO2 FABRIKAM.COM/Configuration/Sites/BO2 BO3 FABRIKAM.COM/Configuration/Sites/BO3 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Displays a list of sites for Fabrikam using the LDAP filter syntax. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -Filter 'ObjectClass -eq "site"' -SearchBase 'CN=Configuration,DC=Fabrikam,DC=Com' -Properties siteObjectBL | foreach {$_.siteObjectBL} CN=192.167.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.166.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.168.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.165.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.164.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.163.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.162.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.161.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.160.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.159.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.158.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM CN=192.157.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the Site objects from the Configuration Naming Context and then enumerates through the list outputting 'siteObjectBL'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$changeDate = New-Object DateTime(2008, 11, 18, 1, 40, 02); Get-ADObject -Filter 'whenChanged -gt $changeDate' -IncludeDeletedObjects </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all the objects, including the deleted ones, whose 'whenChanged' attribute is greater than the specified date. Note that both deleted and non-deleted (and non-recycled) objects matching the filter will be returned. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$changeDate = New-Object DateTime(2008, 11, 18, 1, 40, 02) Get-ADObject -Filter 'whenChanged -gt $changeDate -and isDeleted -eq $true -and -not (isRecycled -eq $true) -and name -ne "Deleted Objects"' -IncludeDeletedObjects ObjectGUID : 98118958-91c7-437d-8ada-ba0b66db823b Deleted : True DistinguishedName : CN=Andrew Ma\0ADEL:98118958-91c7-437d-8ada-ba0b66db823b,CN=Deleted Objects,DC=FABRIKAM,DC=COM Name : Andrew Ma DEL:98118958-91c7-437d-8ada-ba0b66db823b ObjectClass : user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all the deleted objects, whose 'whenChanged' attribute is greater than the specified date. The clause 'name -ne "Deleted Objects"' makes sure that the Deleted Objects Container is not returned. This will only return objects which can be restored </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$changeDate = New-Object DateTime(2008, 11, 18, 1, 40, 02) Get-ADObject -Filter 'whenChanged -gt $changeDate -and isDeleted -eq $true -and -not (isRecycled -eq $true) -and lastKnownParent -eq "OU=Accounting,DC=Fabrikam,DC=com"' -IncludeDeletedObjects ObjectGUID : 12d53e7f-aaf7-4790-b41a-da19044504db Deleted : True DistinguishedName : CN=Craig Dewar\0ADEL:12d53e7f-aaf7-4790-b41a-da19044504db,CN=Deleted Objects,DC=Fabrikam,DC=com Name : Craig Dewar DEL:12d53e7f-aaf7-4790-b41a-da19044504db ObjectClass : user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all the deleted objects whose 'whenChanged' attribute is greater then the specified date AND at the time of deletion were the children of the specified Organizational Unit. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -Identity "DC=AppNC" -server "FABRIKAM-SRV1:60000" ObjectGUID DistinguishedName Name ObjectClass ---------- ----------------- ---- ----------- 62b2e185-9322-4980-9c93-cf... DC=AppNC AppNC domainDNS </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the information of the domainDNS object of an LDS instance </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291034</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADOptionalFeature</command:name><maml:description><maml:para>Gets one or more Active Directory optional features.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADOptionalFeature</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADOptionalFeature cmdlet gets an optional feature or performs a search to retrieve multiple optional features from an Active Directory. </maml:para><maml:para>The Identity parameter specifies the Active Directory optional feature that you want to get. You can identify an optional feature by its distinguished name (DN), feature GUID, or object GUID. You can also set the parameter to an optional feature object variable, such as $<localOptionalFeatureObject> or you can pass an optional feature object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one optional feature, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet retrieves a default set of optional feature object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADOptionalFeature</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADOptionalFeature</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory optional feature object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>Feature GUID (featureGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Object GUID (objectGUID) </maml:para><maml:para>Example: 482ab21c-823e-401e-879a-ac7383d64eb9 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an optional feature object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to an optional feature object instance named "optionalFeatureInstance". </maml:para><maml:para>-Identity $optionalFeatureInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeature</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADOptionalFeature</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory optional feature object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>Feature GUID (featureGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Object GUID (objectGUID) </maml:para><maml:para>Example: 482ab21c-823e-401e-879a-ac7383d64eb9 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an optional feature object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to an optional feature object instance named "optionalFeatureInstance". </maml:para><maml:para>-Identity $optionalFeatureInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOptionalFeature</command:parameterValue><dev:type><maml:name>ADOptionalFeature</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOptionalFeature</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An optional feature object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADOptionalFeature</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more optional feature objects. </maml:para><maml:para>This cmdlet returns a default set of ADOptionalFeature property values. To retrieve additional ADOptionalFeature properties, use the Properties parameter. </maml:para><maml:para>To view the properties for an ADOptionalFeature object, see the following examples. To run these examples, replace <optional feature> with an optional feature identifier, such as distinguished name of the optional feature. </maml:para><maml:para>To get a list of the default set of properties of an ADOptionalFeature object, use the following command: </maml:para><maml:para>Get-ADOptionalFeature <optional feature>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADOptionalFeature object, use the following command: </maml:para><maml:para>Get-ADOptionalFeature <optional feature> -Properties ALL | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOptionalFeature -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a list of all the available optional features in the current forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOptionalFeature 'Recycle Bin Feature' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the optional feature with the name 'Recycle Bin Feature'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOptionalFeature 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the optional feature with the feature guid '766ddcd8-acd0-445e-f3b9-a7f9b6744f2a'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOptionalFeature 'Recycle Bin Feature' -server server1:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the 'Recycle Bin Feature' optional feature in an AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291035</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Disable-ADOptionalFeature</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Enable-ADOptionalFeature</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADOrganizationalUnit</command:name><maml:description><maml:para>Gets one or more Active Directory organizational units.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADOrganizationalUnit</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADOrganizational unit cmdlet gets an organizational unit object or performs a search to retrieve multiple organizational units. </maml:para><maml:para>The Identity parameter specifies the Active Directory organizational unit to retrieve. You can identify an organizational unit by its distinguished name (DN) or GUID. You can also set the parameter to an organizational unit object variable, such as $<localOrganizationalunitObject> or pass an organizational unit object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one organizational unit, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet retrieves a default set of organizational unit object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADOrganizationalUnit</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADOrganizationalUnit</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies the identity of an Active Directory organizational unit object. The parameter accepts the following identity formats. The identifier in parentheses is the LDAP display name for the attribute that contains the identity. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an organizational unit object instance named "OUinstance". </maml:para><maml:para>-Identity $OUInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADOrganizationalUnit</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies the identity of an Active Directory organizational unit object. The parameter accepts the following identity formats. The identifier in parentheses is the LDAP display name for the attribute that contains the identity. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an organizational unit object instance named "OUinstance". </maml:para><maml:para>-Identity $OUInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue><dev:type><maml:name>ADOrganizationalUnit</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue>Subtree</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An organizational unit object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more organizational unit objects. </maml:para><maml:para>This cmdlet returns a default set of ADOrganizational unit property values. To retrieve additional ADOrganizational unit properties, use the Properties parameter. </maml:para><maml:para>To view the properties for an ADOrganizational unit object, see the following examples. To run these examples, replace <organizational unit> with an organizational unit identifier such as the distinguished name (DN) of an organizational unit. </maml:para><maml:para>To get a list of the default set of properties of an ADOrganizational unit object, use the following command: </maml:para><maml:para>Get-ADOrganizational unit <organizational unit>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADOrganizational unit object, use the following command: </maml:para><maml:para>Get-ADOrganizational unit <organizational unit> -Properties * | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOrganizationalUnit -Filter 'Name -like "*"' | FT Name, DistinguishedName -A Name DistinguishedName ---- ----------------- Domain Controllers OU=Domain Controllers,DC=FABRIKAM,DC=COM UserAccounts OU=UserAccounts,DC=FABRIKAM,DC=COM Sales OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM Marketing OU=Marketing,OU=UserAccounts,DC=FABRIKAM,DC=COM Production OU=Production,OU=UserAccounts,DC=FABRIKAM,DC=COM HumanResources OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM NorthAmerica OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM SouthAmerica OU=SouthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM Europe OU=Europe,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM AsiaPacific OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM Finance OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM Corporate OU=Corporate,OU=UserAccounts,DC=FABRIKAM,DC=COM ApplicationServers OU=ApplicationServers,DC=FABRIKAM,DC=COM Groups OU=Groups,OU=Managed,DC=FABRIKAM,DC=COM PasswordPolicyGroups OU=PasswordPolicyGroups,OU=Groups,OU=Managed,DC=FABRIKAM,DC=COM Managed OU=Managed,DC=FABRIKAM,DC=COM ServiceAccounts OU=ServiceAccounts,OU=Managed,DC=FABRIKAM,DC=COM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all the Organizational Units in the domain </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOrganizationalUnit -Identity 'OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM' | ft Name,Country,PostalCode,City,StreetAddress,State -A Name Country PostalCode City StreetAddress State ---- ------- ---------- ---- ------------- ----- AsiaPacific AU 4171 Balmoral 45 Martens Place QLD </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the Organizational Unit with DistinguishedName 'OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADOrganizationalUnit -LDAPFilter '(name=*)' -SearchBase 'OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM' -SearchScope OneLevel | ft Name,Country,PostalCode,City,StreetAddress,State Name Country PostalCode City StreetAddress State ---- ------- ---------- ---- ------------- ----- AsiaPacific AU 4171 Balmoral 45 Martens Place QLD Europe UK NG34 0NI QUARRINGTON 22 Station Rd NorthAmerica US 02142 Cambridge 1634 Randolph Street MA </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets Organizational Units underneath the sales Organizational Unit using an LDAP filter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291036</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADOrganizational unit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADOrganizational unit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADOrganizational unit</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADPrincipalGroupMembership</command:name><maml:description><maml:para>Gets the Active Directory groups that have a specified user, computer, group, or service account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADPrincipalGroupMembership</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADPrincipalGroupMembership cmdlet gets the Active Directory groups that have a specified user, computer, group, or service account as a member. This cmdlet requires a global catalog to perform the group search. If the forest that contains the user, computer or group does not have a global catalog, the cmdlet returns a non-terminating error. If you want to search for local groups in another domain, use the ResourceContextServer parameter to specify the alternate server in the other domain. </maml:para><maml:para>The Identity parameter specifies the user, computer, or group object that you want to determine group membership for. You can identify a user, computer, or group object by its distinguished name (DN), GUID, security identifier (SID) or SAM account name. You can also specify a user, group, or computer object variable, such as $<localGroupObject>, or pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to retrieve a group object and then pass the object through the pipeline to the Get-ADPrincipalGroupMembership cmdlet. Similarly, you can use Get-ADUser or Get-ADComputer to get user and computer objects to pass through the pipeline. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADPrincipalGroupMembership</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a principal object instance named "principalInstance". </maml:para><maml:para>-Identity $principalInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResourceContextPartition</maml:name><maml:description><maml:para>Specifies the distinguished name of the partition of an AD or AD LDS instance to search. Use this parameter with the ResourceContextServer parameter to specify a partition hosted by the specified server. If the ResourceContextPartition parameter is not specified, the default partition of the ResourceContextServer is searched. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResourceContextPartition "cn=employees,dc=corp,dc=contoso,dc=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResourceContextServer</maml:name><maml:description><maml:para>Specifies that the cmdlet return a list of groups that the user is a member of and that reside in the specified domain. Use this parameter to search for groups in a domain that is not the domain where the user's account resides. To search a partition other than the default partition in this domain, also specify the ResourceContextPartition parameter. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ResourceContextServer "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a principal object instance named "principalInstance". </maml:para><maml:para>-Identity $principalInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResourceContextPartition</maml:name><maml:description><maml:para>Specifies the distinguished name of the partition of an AD or AD LDS instance to search. Use this parameter with the ResourceContextServer parameter to specify a partition hosted by the specified server. If the ResourceContextPartition parameter is not specified, the default partition of the ResourceContextServer is searched. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResourceContextPartition "cn=employees,dc=corp,dc=contoso,dc=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResourceContextServer</maml:name><maml:description><maml:para>Specifies that the cmdlet return a list of groups that the user is a member of and that reside in the specified domain. Use this parameter to search for groups in a domain that is not the domain where the user's account resides. To search a partition other than the default partition in this domain, also specify the ResourceContextPartition parameter. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ResourceContextServer "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A principal object that represents a user, computer or group is received by the Identity parameter. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns group objects that have the specified user, computer, group or service account as a member. </maml:para><maml:para>The Get-ADPrincipalGroupMembership cmdlet returns a default set of ADGroup property values. To retrieve additional ADGroup properties pass the ADGroups objects produced by this cmdlet through the pipline to Get-ADGroup. Specify the additional properties required from the group objects by passing the -Properties parameter to Get-ADGroup. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adprincipalgroupmembership -server localhost:60000 -identity "CN=GlenJohns,DC=AppNC" -partition "DC=AppNC" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve all the groups the user 'CN=GlenJohns,DC=AppNC' is a member of on an AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adprincipalgroupmembership -Identity Administrator distinguishedName : CN=Domain Users,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Global name : Domain Users objectClass : group objectGUID : 86c0f0d5-8b4d-4f35-a867-85a006b92902 SamAccountName : Domain Users SID : S-1-5-21-41432690-3719764436-1984117282-513 distinguishedName : CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : DomainLocal name : Administrators objectClass : group objectGUID : 02ce3874-dd86-41ba-bddc-013f34019978 SamAccountName : Administrators SID : S-1-5-32-544 distinguishedName : CN=Schema Admins,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Universal name : Schema Admins objectClass : group objectGUID : 8d62890f-385e-4cfa-9b2a-c72576097583 SamAccountName : Schema Admins SID : S-1-5-21-41432690-3719764436-1984117282-518 distinguishedName : CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Universal name : Enterprise Admins objectClass : group objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf SamAccountName : Enterprise Admins SID : S-1-5-21-41432690-3719764436-1984117282-519 distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Global name : Domain Admins objectClass : group objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011 SamAccountName : Domain Admins SID : S-1-5-21-41432690-3719764436-1984117282-512 distinguishedName : CN=Group Policy Creator Owners,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Global name : Group Policy Creator Owners objectClass : group objectGUID : a58f7bf2-fd20-4bbd-96f0-ee10fa1613c7 SamAccountName : Group Policy Creator Owners SID : S-1-5-21-41432690-3719764436-1984117282-520 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve all the groups the administrator is a member of. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adprincipalgroupmembership -Identity Administrator -ResourceContextServer ChildDomain.Fabrikam.Com -ResourceContextPartition "DC=Fabrikam,DC=com" distinguishedName : CN=Domain Users,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Global name : Domain Users objectClass : group objectGUID : 86c0f0d5-8b4d-4f35-a867-85a006b92902 SamAccountName : Domain Users SID : S-1-5-21-41432690-3719764436-1984117282-513 distinguishedName : CN=Group Policy Creator Owners,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Global name : Group Policy Creator Owners objectClass : group objectGUID : a58f7bf2-fd20-4bbd-96f0-ee10fa1613c7 SamAccountName : Group Policy Creator Owners SID : S-1-5-21-41432690-3719764436-1984117282-520 distinguishedName : CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Universal name : Enterprise Admins objectClass : group objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf SamAccountName : Enterprise Admins SID : S-1-5-21-41432690-3719764436-1984117282-519 distinguishedName : CN=Schema Admins,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Universal name : Schema Admins objectClass : group objectGUID : 8d62890f-385e-4cfa-9b2a-c72576097583 SamAccountName : Schema Admins SID : S-1-5-21-41432690-3719764436-1984117282-518 distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : Global name : Domain Admins objectClass : group objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011 SamAccountName : Domain Admins SID : S-1-5-21-41432690-3719764436-1984117282-512 distinguishedName : CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com GroupCategory : Security GroupScope : DomainLocal name : Administrators objectClass : group objectGUID : 02ce3874-dd86-41ba-bddc-013f34019978 SamAccountName : Administrators SID : S-1-5-32-544 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve all the groups the adminsitrator account in the local domain is a member of in the resource domain ChildDomain.Fabrikam.Com </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291037</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationAttributeMetadata</command:name><maml:description><maml:para>Returns the replication metadata for one or more Active Directory replication partners.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationAttributeMetadata</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationAttributeMetadata cmdlet returns the replication metadata for one or more attributes on a given object. The metadata is contained in the following two directory objects: </maml:para><maml:para>single-value attribute: msDS-ReplAttributeMetaData </maml:para><maml:para>multi-value attribute: msDS-ReplValueMetaData </maml:para><maml:para>The cmdlet parses the byte array(s) and returns the data in a readable format. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationAttributeMetadata</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Object</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="Property,Attribute,Attributes"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies a list of one or more attribute names as a comma separated list to return the metadata for replication partners. This parameter also accepts * to indicate that all attributes set on the object should be returned. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ShowAllLinkedValues</maml:name><maml:description><maml:para>Specifying this switch returns all linked values if the attribute returned is multi-valued. </maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Object</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="Property,Attribute,Attributes"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies a list of one or more attribute names as a comma separated list to return the metadata for replication partners. This parameter also accepts * to indicate that all attributes set on the object should be returned. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue>* (all properties)</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ShowAllLinkedValues</maml:name><maml:description><maml:para>Specifying this switch returns all linked values if the attribute returned is multi-valued. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>False; by default, only the linked value with the highest USN is returned</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents the Active Directory objects. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationAttributeMetadata</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents Active Directory replication attribute metadata objects. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>The default behavior for this cmdlet is to prompt for object identity. Other tools that have been provided to manage this feature in previous releases of Windows Server include the Repadmin.exe command-line tool. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationAttributeMetadata "CN=Domain Admins,CN=Users,DC=corp,DC=contoso,DC=com" corp-DC01 -ShowAllLinkedValues </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata for the attributes of a group with Distinguished Name "CN=Domain Admins,CN=Users,DC=corp,DC=contoso,DC=com" from the CORP-DC01 domain controller. By including the -ShowAllLinkedValues switch parameter if a multi-valued attribute is present, all its linked values are also retrieved. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationAttributeMetadata "1A7BFEC6-C92C-4804-94B0-D407E51F1B64" corp-DC01 -IncludeDeletedObjects </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata for the attributes of an object with GUID "1A7BFEC6-C92C-4804-94B0-D407E51F1B64", including the deleted objects and the deactivated forward and backward links. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -Filter 'objectclass -eq "group"' | Get-ADReplicationAttributeMetadata -Server corp-DC01 | Where-Object {$_.lastoriginatingchangetime -like "*11/10/2011*"} | Format-Table object </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all groups that have any of their attributes modified on 11/10/2011. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291038</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationConnection</command:name><maml:description><maml:para>Returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationConnection</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationConnection cmdlet returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter. Connections are used to enable domain controllers to replicate with each other. A connection defines a one-way, inbound route from one domain controller, the source, to another domain controller, the destination. The Kerberos consistency checker (KCC) reuses existing connections where it can, deletes unused connections, and creates new connections if none exist that meet the current need. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationConnection</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationConnection</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationConnection</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationConnection</command:parameterValue><dev:type><maml:name>ADReplicationConnection</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationConnection</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A connection object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationConnection</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationConnection -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the replication connections. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationConnection -Filter {ReplicateFromDirectoryServer -eq "corp-DC01"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all replication connections that replicate from corp-DC01. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationConnection "5f98e288-19e0-47a0-9677-57f05ed54f6b" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication connection with name '5f98e288-19e0-47a0-9677-57f05ed54f6b'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationConnection "5f98e288-19e0-47a0-9677-57f05ed54f6b" -Properties * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the properties of the replication connection with name '5f98e288-19e0-47a0-9677-57f05ed54f6b'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291039</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationConnection</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationFailure</command:name><maml:description><maml:para>Returns a collection of data describing an Active Directory replication failure.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationFailure</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationFailure cmdlet returns all failures currently associated with a given domain controller or Active Directory Lightweight Directory Services (AD LDS) instance. The return object is of type ADReplicationFailure. This cmdlet returns the list of failures in the ADReplicationSummary object for a specific server. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationFailure</maml:name><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies either one or more (using a comma separated list) of Active Directory domain controllers, sites, domains, or forests. It will return results for all the domain controllers that are specified or that are part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumeratingServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationFailure</maml:name><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies either one or more (using a comma separated list) of Active Directory domain controllers, sites, domains, or forests. It will return results for all the domain controllers that are specified or that are part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases="ReplicationSite"><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the type of object used as input by the Target parameter. The following are allowable values to use: </maml:para><maml:para>Server </maml:para><maml:para>Site </maml:para><maml:para>Domain </maml:para><maml:para>Forest </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Server</command:parameterValue><command:parameterValue required="true" variableLength="false">Site</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumeratingServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumeratingServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases="ReplicationSite"><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the type of object used as input by the Target parameter. The following are allowable values to use: </maml:para><maml:para>Server </maml:para><maml:para>Site </maml:para><maml:para>Domain </maml:para><maml:para>Forest </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADScopeType</command:parameterValue><dev:type><maml:name>ADScopeType</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies either one or more (using a comma separated list) of Active Directory domain controllers, sites, domains, or forests. It will return results for all the domain controllers that are specified or that are part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue><dev:type><maml:name>Object[]</maml:name><maml:uri /></dev:type><dev:defaultValue>DCLocator; Provider: -Server of the connected drive</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that contains one or more Active Directory server objects. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationFailure</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents Active Directory replication failure objects. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationFailure -Target corp-DC01 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a collection of data describing an Active Directory replication failure for corp-DC01. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationFailure -Target corp-DC01 -Scope Server </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a collection of data describing an Active Directory replication failure from corp-DC01 (same as above). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationFailure -Target corp-DC01,corp-DC02 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a collection of data describing an Active Directory replication failure from corp-DC01 and corp-DC02. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationFailure -Target NorthAmerica -Scope Site </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a collection of data describing Active Directory replication failures from all the domain controllers in the site 'NorthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationFailure -Target "corp.contoso.com" -Scope Domain </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a collection of data describing Active Directory replication failures from all the domain controllers in the domain 'corp.contoso.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationFailure -Target "corp.contoso.com" -Scope Forest </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a collection of data describing Active Directory replication failures from all the domain controllers in the forest 'corp.contoso.com' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291040</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationPartnerMetadata</command:name><maml:description><maml:para>Returns the replication metadata for a set of one or more replication partners.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationPartnerMetadata</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationPartnerMetadata cmdlet returns an Active Directory replication partner metadata object for each of its replication partners which contains all of the relevant replication data for the partners involved. This includes attributes such as LastReplicationSuccess or LastReplicationAttempt and other data specific to each pairing of replication partners. If the results are too verbose for your needs, you can use the Partition parameter to specify a partition to narrow down the results. Optionally, you can use the Filter parameter to narrow down results as well. If no partition or filter are specified for the results, the default naming context is used and metadata for all replication partners is returned. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationPartnerMetadata</maml:name><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies the target for returning replication partner metadata as either one or more domain controllers, sites, domains, or forests. If multiple values for the target are to be specified, they need to be separated by commas. This parameter will return results for all the domain controllers specified or for part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>PartnerType</maml:name><maml:description><maml:para>An enumeration of the replication types returned by this cmdlet. The following are the allowable values for this parameter: Inbound, Outbound, Both. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Both</command:parameterValue><command:parameterValue required="true" variableLength="false">Inbound</command:parameterValue><command:parameterValue required="true" variableLength="false">Outbound</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumerationServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationPartnerMetadata</maml:name><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies the target for returning replication partner metadata as either one or more domain controllers, sites, domains, or forests. If multiple values for the target are to be specified, they need to be separated by commas. This parameter will return results for all the domain controllers specified or for part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the scope type for the Target parameter when used as input. The allowable values for this parameter are: </maml:para><maml:para>Server </maml:para><maml:para>Site </maml:para><maml:para>Domain </maml:para><maml:para>Forest </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Server</command:parameterValue><command:parameterValue required="true" variableLength="false">Site</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>PartnerType</maml:name><maml:description><maml:para>An enumeration of the replication types returned by this cmdlet. The following are the allowable values for this parameter: Inbound, Outbound, Both. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Both</command:parameterValue><command:parameterValue required="true" variableLength="false">Inbound</command:parameterValue><command:parameterValue required="true" variableLength="false">Outbound</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumerationServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumerationServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue>DefaultNC; Provider: Default is to use the Partition that you are currently in. Else, use DefaultNC (IE: If you are in the RootDSE)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>PartnerType</maml:name><maml:description><maml:para>An enumeration of the replication types returned by this cmdlet. The following are the allowable values for this parameter: Inbound, Outbound, Both. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPartnerType</command:parameterValue><dev:type><maml:name>ADPartnerType</maml:name><maml:uri /></dev:type><dev:defaultValue>Inbound</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the scope type for the Target parameter when used as input. The allowable values for this parameter are: </maml:para><maml:para>Server </maml:para><maml:para>Site </maml:para><maml:para>Domain </maml:para><maml:para>Forest </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADScopeType</command:parameterValue><dev:type><maml:name>ADScopeType</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies the target for returning replication partner metadata as either one or more domain controllers, sites, domains, or forests. If multiple values for the target are to be specified, they need to be separated by commas. This parameter will return results for all the domain controllers specified or for part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue><dev:type><maml:name>Object[]</maml:name><maml:uri /></dev:type><dev:defaultValue>DCLocator; Provider: -Server of the connected drive</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents Active Directory server objects. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationPartnerMetadata</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents Active Directory replication partner metadata objects. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>The default behavior for this cmdlet is to prompt for server identity. Other tools that have been made available in prior releases of Windows Server to manage replication partnerships include Active Directory Sites and Services and the Repadmin.exe tool. If this cmdlet is aliased, it should use "ReplSummary" as the alias name value. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationPartnerMetadata -Target corp-DC01 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata between corp-DC01 and its inbound partners for the default partition only. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationPartnerMetadata -Target corp-DC01 -PartnerType Inbound </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata between corp-DC01 and its inbound partners for the default partition only (same as above). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationPartnerMetadata -Target corp-DC01,corp-DC02 -PartnerType Both -Partition Schema </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata between corp-DC01, corp-DC02 and their respective partners only (both inbound and outbound) for the schema partition. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationPartnerMetadata -Target NorthAmerica -Scope Site -Partition * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata for all the inbound partners of all the domain controllers within the 'NorthAmerica' site for all hosted partitions. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationPartnerMetadata -Target "corp.contoso.com" -Scope Domain </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata for all the domain controllers that are inbound partners for the default partition in the domain 'corp.contoso.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationPartnerMetadata -Target "corp.contoso.com" -Scope Forest -Partition Configuration </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the replication metadata for all the domain controllers that are inbound partners for the configuration partition in the forest 'corp.contoso.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291041</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationQueueOperation</command:name><maml:description><maml:para>Returns the contents of the replication queue for a specified server.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationQueueOperation</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationQueueOperation cmdlet returns all of the pending operations in the replication queue. While replication operations are pending, this cmdlet can be useful for determining the status of queued operations. </maml:para><maml:para>The Get-ADReplicationQueueOperation cmdlet can be called from script to watch and observe when operations get moved out of the queue as they are replicated. It also allows for filtering on any of the properties on the ADReplicationOperation object. </maml:para><maml:para>The replication queue operates in the following manner: suppose a domain controller has five inbound replication connections. As the domain controller formulates change requests, either by a schedule being reached or from a notification, it adds a work item for each request to the end of the queue of pending synchronization requests. Each pending synchronization request represents one <source domain controller, directory partition> pair, such as "synchronize the schema directory partition from DC1," or "delete the ApplicationX directory partition." </maml:para><maml:para>When a work item has been received into the queue, notification and polling intervals do not apply. Instead, the domain controller processes the item (begins synchronizing from its source) as soon as the work item reaches the front of the replication queue. This process continues until either the destination is fully synchronized with the source domain controller, an error occurs, or the synchronization is pre-empted by a higher-priority operation. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationQueueOperation</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue>DefaultNC; Provider: Default is to use the Partition that you are currently in. Else, use DefaultNC (IE: If you are in the RootDSE)</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents one or more Active Directory servers. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationOperation</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that represents one or more Active Directory replication operations. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationQueueOperation "corp-DC01.corp.contoso.com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the pending operations in the replication queue for the domain controller "corp-DC01" as specified by its fully qualified domain name (FQDN). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291042</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationSite</command:name><maml:description><maml:para>Returns a specific Active Directory replication site or a set of replication site objects based on a specified filter.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationSite</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationSite cmdlet returns a specific Active Directory replication site or a set of replication site objects based on a specified filter. Sites are used in Active Directory to either enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce network traffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationSite</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationSite</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue>All Sites (Filter *)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSite -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the sites. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSite -Properties * -Filter {WindowsServer2003KCCSiteLinkBridgingEnabled -eq $TRUE} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all sites that have the WindowsServer2003KCCBehaviorEnabled flag turned on. (The –Properties parameter must be set because the WindowsServer2003KCCSiteLinkBridgingEnabled property is not retrieved by default.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSite NorthAmerica </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the site with name 'NorthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSite NorthAmerica -Properties AutomaticInterSiteTopologyGenerationEnabled </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the AutomaticInterSiteTopologyGenerationEnabled property of the site with name 'NorthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291043</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationSiteLink</command:name><maml:description><maml:para>Returns a specific Active Directory site link or a set of site links based on a specified filter.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationSiteLink</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationSiteLink cmdlet can be used to return a specific Active Directory site link or a set of site links based on a specified filter. A site link connects two or more sites. Site links reflect the administrative policy for how sites are to be interconnected and the methods used to transfer replication traffic. You must connect sites with site links so that domain controllers at each site can replicate Active Directory changes. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationSiteLink</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationSiteLink</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-SouthAmerica,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-SouthAmerica,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue><dev:type><maml:name>ADReplicationSiteLink</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the site links. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink -Filter {SitesIncluded -eq "NorthAmerica"} | FT Name,SitesIncluded -A </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all site links that include 'NorthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink -Filter {Cost -gt 100 -and ReplicationFrequencyInMinutes -lt 15} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all site links that have a cost greater than 100 and a replication frequency less than 15 minutes. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink "Europe-Asia" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the site link with name 'Europe-Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink "Europe-Asia" -Properties ReplicationSchedule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the ReplicationSchedule property of the site link with name 'Europe-Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291044</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationSiteLinkBridge</command:name><maml:description><maml:para>Returns a specific Active Directory site link bridge or a set of site link bridge objects based on a specified filter.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationSiteLinkBridge</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationSiteLinkBridge cmdlet returns a specific Active Directory site link bridge or a set of site link bridge objects based on a specified filter. A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationSiteLinkBridge</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationSiteLinkBridge</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-Asia,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-Asia,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue><dev:type><maml:name>ADReplicationSiteLinkBridge</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link bridge object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, the following site link bridge properties are returned: </maml:para><maml:para>- Name </maml:para><maml:para>- Description </maml:para><maml:para>- SiteLinksIncluded </maml:para><maml:para>- DN </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLinkBridge -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the site link bridges. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLinkBridge -Filter {SiteLinksIncluded -eq "NorthAmerica-Europe"} | FT Name,SiteLinksIncluded -A </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all site link bridges that include site link 'NorthAmerica-Europe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLinkBridge "NorthAmerica-Asia" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the site link bridge with name 'NorthAmerica-Europe' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLinkBridge "NorthAmerica-Asia" -Properties * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the properties of the site link bridge with name 'NorthAmerica-Europe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291045</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationSubnet</command:name><maml:description><maml:para>Returns a specific Active Directory subnet or a set of AD subnets based on a specified filter.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationSubnet</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADReplicationSubnet cmdlet returns a specific Active Directory subnet or a set of AD subnets based on a specified filter. Subnet objects (class subnet) define network subnets in Active Directory. A network subnet is a segment of a TCP/IP network to which a set of logical IP addresses is assigned. Subnets group computers in a way that identifies their physical proximity on the network. Subnet objects in Active Directory are used to map computers to sites. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationSubnet</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationSubnet</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=10.0.0.0/25,CN=Subnets,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=10.0.0.0/25,CN=Subnets,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue><dev:type><maml:name>ADReplicationSubnet</maml:name><maml:uri /></dev:type><dev:defaultValue>All Subnets (Filter *)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A subnet object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSubnet -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the subnets. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSubnet -Filter {Location -like "*Japan"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the subnets in Japan. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSubnet "10.0.0.0/25" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the subnet with name '10.0.0.0/25'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSubnet "10.0.0.0/25" -Properties * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the properties of the subnet with name '10.0.0.0/25'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291046</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADReplicationUpToDatenessVectorTable</command:name><maml:description><maml:para>Displays the highest Update Sequence Number (USN) for the specified domain controller. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADReplicationUpToDatenessVectorTable</command:noun><dev:version /></command:details><maml:description><maml:para>Displays the highest Update Sequence Number (USN) for the specified domain controller(s). This information shows how up-to-date a replica is with its replication partners. During replication, each object that is replicated has USN and if the object is modified, the USN is incremented. The value of the USN for a given object is local to each domain controller where it has replicated are number is different on each domain controller. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADReplicationUpToDatenessVectorTable</maml:name><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies either one or more (using a comma separated list) of Active Directory domain controllers, sites, domains, or forests. It will return results for all the domain controllers that are specified or that are part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumerationServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADReplicationUpToDatenessVectorTable</maml:name><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies either one or more (using a comma separated list) of Active Directory domain controllers, sites, domains, or forests. It will return results for all the domain controllers that are specified or that are part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases="ReplicationSite"><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the type of object used as input by the Target parameter. The following are allowable values to use: </maml:para><maml:para>Server </maml:para><maml:para>Site </maml:para><maml:para>Domain </maml:para><maml:para>Forest </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Server</command:parameterValue><command:parameterValue required="true" variableLength="false">Site</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumerationServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EnumerationServer</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3" aliases="NC,NamingContext"><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue>DefaultNC; Provider: Default is to use the Partition that you are currently in. Else, use DefaultNC (IE: If you are in the RootDSE)</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases="ReplicationSite"><maml:name>Scope</maml:name><maml:description><maml:para>Specifies the type of object used as input by the Target parameter. The following are allowable values to use: </maml:para><maml:para>Server </maml:para><maml:para>Site </maml:para><maml:para>Domain </maml:para><maml:para>Forest </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADScopeType</command:parameterValue><dev:type><maml:name>ADScopeType</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Name,HostName,Site,Domain,Forest"><maml:name>Target</maml:name><maml:description><maml:para>Specifies either one or more (using a comma separated list) of Active Directory domain controllers, sites, domains, or forests. It will return results for all the domain controllers that are specified or that are part of the specified container. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue><dev:type><maml:name>Object[]</maml:name><maml:uri /></dev:type><dev:defaultValue>DCLocator; Provider: -Server of the connected drive</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that contains one or more Active Directory server objects. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADReplicationUpToDatenessVector</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A class structure that contains one or more Active Directory replication up-to-dateness (UTD) vector tables. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationUpToDatenessVectorTable -Target corp-DC01 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the highest Update Sequence Number (USN) information for the default partition from corp-DC01. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationUpToDatenessVectorTable -Target corp-DC01 -Scope Server </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the highest Update Sequence Number (USN) information for the default partition from corp-DC01 (same as above). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationUpToDatenessVectorTable -Target corp-DC01,corp-DC02 -Partition Schema </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the highest Update Sequence Number (USN) information for the schema partition from corp-DC01 and corp-DC02. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationUpToDatenessVectorTable -Target NorthAmerica -Scope Site -Partition * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the highest Update Sequence Number (USN) for all partitions from all the Domain Controllers in site 'NorthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationUpToDatenessVectorTable -Target "corp.contoso.com" -Scope Domain -Partition Default </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the highest Update Sequence Number (USN) for the default partition from all the Domain Controllers in domain 'corp.contoso.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationUpToDatenessVectorTable -Target "corp.contoso.com" -Scope Forest -Partition Configuration </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the highest Update Sequence Number (USN) for the configuration partition from all the Domain Controllers in forest 'corp.contoso.com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291047</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADResourceProperty</command:name><maml:description><maml:para>Gets one or more resource properties.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADResourceProperty</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADResourceProperty cmdlet gets one or more resource properties. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADResourceProperty</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADResourceProperty</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADResourceProperty</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue><dev:type><maml:name>ADResourceProperty</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Windows PowerShell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourceProperty -Filter {SharesValuesWith -eq 'Country'} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the resource properties that refer to the claim type named 'Country' for their suggested values. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourceProperty Authors </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the resource property with display name 'Authors'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291048</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADResourcePropertyList</command:name><maml:description><maml:para>Retrieves resource property lists from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADResourcePropertyList</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADResourcePropertyList cmdlet retrieves resource property lists from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADResourcePropertyList</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADResourcePropertyList</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADResourcePropertyList</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves a list of all resource property lists. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList -Filter {Members -eq 'Country'} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves all resource property lists that has the resource property "Country" in the list. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList "Global Resource Property List" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves the global resource property list. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291049</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADResourcePropertyValueType</command:name><maml:description><maml:para>Retrieves a resource property value type from Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADResourcePropertyValueType</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADResourcePropertyValueType cmdlet retrieves a resource property value type from Active Directory. The resource property value type supports the following Active Directory primitives (ValueType, IsSingleValued, RestrictValues) and a Boolean indicating whether SuggestedValues are allowed. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADResourcePropertyValueType</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADResourcePropertyValueType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=MS-DS-Text,CN=Value Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyValueType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADResourcePropertyValueType</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=MS-DS-Text,CN=Value Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyValueType</command:parameterValue><dev:type><maml:name>ADResourcePropertyValueType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyValueType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADResourcePropertyValueType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Default </maml:para><maml:para>1 ValueType </maml:para><maml:para>2 IsSingleValued </maml:para><maml:para>3 RestrictValues </maml:para><maml:para>4 AreSuggestedValuesPresent </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyValueType -Filter * | ft Name </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves the names of all resource property value types. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyValueType -Filter {ResourceProperties -eq 'Country' -or ResourceProperties -eq 'Authors'} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves all resource property value types that the resource properties "Country" and "Authors" use. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyValueType "MS-DS-Text" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieves a resource property value type named "MS-DS-Text". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291050</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADRootDSE</command:name><maml:description><maml:para>Gets the root of a Directory Server information tree. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADRootDSE</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADRootDSE cmdlet gets the conceptual object representing the root of the directory information tree of a directory server. This tree provides information about the configuration and capabilities of the directory server, such as the distinguished name for the configuration container, the current time on the directory server, and the functional levels of the directory server and the domain. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADRootDSE</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADRootDSE</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An ADRootDSE object that represents the data tree for the specified directory server is output by this cmdlet. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADRootDSE configurationNamingContext : CN=Configuration,DC=Fabrikam,DC=com currentTime : 3/18/2009 11:12:55 AM defaultNamingContext : DC=Fabrikam,DC=com dnsHostName : FABRIKAM-DC1.Fabrikam.com domainControllerFunctionality : Windows2008R2 domainFunctionality : Windows2003Domain dsServiceName : CN=NTDS Settings,CN=FABRIKAM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com forestFunctionality : Windows2003Forest highestCommittedUSN : 23015 isGlobalCatalogReady : {TRUE} isSynchronized : {TRUE} ldapServiceName : Fabrikam.com:FABRIKAM-DC1$@FABRIKAM.COM namingContexts : {DC=Fabrikam,DC=com, CN=Configuration,DC=Fabrikam,DC=com, CN=Schema,CN=Configuration,DC=Fabrikam,DC=com, DC=DomainDnsZones,DC=Fabrikam,DC=com...} rootDomainNamingContext : DC=Fabrikam,DC=com schemaNamingContext : CN=Schema,CN=Configuration,DC=Fabrikam,DC=com serverName : CN=FABRIKAM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com subschemaSubentry : CN=Aggregate,CN=Schema,CN=Configuration,DC=Fabrikam,DC=com supportedCapabilities : {1.2.840.113556.1.4.800 (LDAP_CAP_ACTIVE_DIRECTORY_OID), 1.2.840.113556.1.4.1670 (LDAP_CAP_ACTIVE_DIRECTORY_V51_OID), 1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID), 1.2.840.113556.1.4.1935 (LDAP_CAP_ACTIVE_DIRECTORY_V61_OID)...} supportedControl : {1.2.840.113556.1.4.319 (LDAP_PAGED_RESULT_OID_STRING), 1.2.840.113556.1.4.801 (LDAP_SERVER_SD_FLAGS_OID), 1.2.840.113556.1.4.473 (LDAP_SERVER_SORT_OID), 1.2.840.113556.1.4.528 (LDAP_SERVER_NOTIFICATION_OID)...} supportedLDAPPolicies : {MaxPoolThreads, MaxDatagramRecv, MaxReceiveBuffer, InitRecvTimeout...} supportedLDAPVersion : {3, 2} supportedSASLMechanisms : {GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the rooDSE from the default domain controller. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADRootDSE -Server Fabrikam-RODC1 -Properties supportedExtension configurationNamingContext : CN=Configuration,DC=Fabrikam,DC=com currentTime : 3/18/2009 11:12:55 AM defaultNamingContext : DC=Fabrikam,DC=com dnsHostName : FABRIKAM-RODC1.Fabrikam.com domainControllerFunctionality : Windows2008R2 domainFunctionality : Windows2003Domain dsServiceName : CN=NTDS Settings,CN=FABRIKAM-RODC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com forestFunctionality : Windows2003Forest highestCommittedUSN : 23015 isGlobalCatalogReady : {TRUE} isSynchronized : {TRUE} ldapServiceName : Fabrikam.com:FABRIKAM-RODC1$@FABRIKAM.COM namingContexts : {DC=Fabrikam,DC=com, CN=Configuration,DC=Fabrikam,DC=com, CN=Schema,CN=Configuration,DC=Fabrikam,DC=com, DC=DomainDnsZones,DC=Fabrikam,DC=com...} rootDomainNamingContext : DC=Fabrikam,DC=com schemaNamingContext : CN=Schema,CN=Configuration,DC=Fabrikam,DC=com serverName : CN=FABRIKAM-RODC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com subschemaSubentry : CN=Aggregate,CN=Schema,CN=Configuration,DC=Fabrikam,DC=com supportedCapabilities : {1.2.840.113556.1.4.800 (LDAP_CAP_ACTIVE_DIRECTORY_OID), 1.2.840.113556.1.4.1670 (LDAP_CAP_ACTIVE_DIRECTORY_V51_OID), 1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID), 1.2.840.113556.1.4.1935 (LDAP_CAP_ACTIVE_DIRECTORY_V61_OID)...} supportedControl : {1.2.840.113556.1.4.319 (LDAP_PAGED_RESULT_OID_STRING), 1.2.840.113556.1.4.801 (LDAP_SERVER_SD_FLAGS_OID), 1.2.840.113556.1.4.473 (LDAP_SERVER_SORT_OID), 1.2.840.113556.1.4.528 (LDAP_SERVER_NOTIFICATION_OID)...} supportedExtension : {1.3.6.1.4.1.1466.20037, 1.3.6.1.4.1.1466.101.119.1, 1.2.840.113556.1.4.1781, 1.3.6.1.4.1.4203.1.11.3} supportedLDAPPolicies : {MaxPoolThreads, MaxDatagramRecv, MaxReceiveBuffer, InitRecvTimeout...} supportedLDAPVersion : {3, 2} supportedSASLMechanisms : {GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the rootDSE information including the supportedExtension property for Fabrikam-RODC1 server. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADRootDSE -Server "FABRIKAM-ADLDS1.Fabrikam.com:60000" -Credential "FABRIKAM\User1" configurationNamingContext : CN=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA} currentTime : 3/18/2009 11:40:19 AM dnsHostName : FABRIKAM-ADLDS1.Fabrikam.com domainControllerFunctionality : Windows2008R2 dsServiceName : CN=NTDS Settings,CN=FABRIKAM-ADLDS1$instance1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C N=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA} forestFunctionality : Windows2003Forest highestCommittedUSN : 13967 isSynchronized : {TRUE} namingContexts : {CN=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA}, CN=Schema,CN=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA}, DC=AppNC} schemaNamingContext : CN=Schema,CN=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA} serverName : CN=FABRIKAM-ADLDS1$instance1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA} subschemaSubentry : CN=Aggregate,CN=Schema,CN=Configuration,CN={9131D98B-E210-480F-A95D-24F9396898CA} supportedCapabilities : {1.2.840.113556.1.4.1851 (LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID), 1.2.840.113556.1.4.1670 (LDAP_CAP_ACTIVE_DIRECTORY_V51_OID), 1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID), 1.2.840.113556.1.4.1935 (LDAP_CAP_ACTIVE_DIRECTORY_V61_OID)...} supportedControl : {1.2.840.113556.1.4.319 (LDAP_PAGED_RESULT_OID_STRING), 1.2.840.113556.1.4.801 (LDAP_SERVER_SD_FLAGS_OID), 1.2.840.113556.1.4.473 (LDAP_SERVER_SORT_OID), 1.2.840.113556.1.4.528 (LDAP_SERVER_NOTIFICATION_OID)...} supportedLDAPPolicies : {MaxPoolThreads, MaxDatagramRecv, MaxReceiveBuffer, InitRecvTimeout...} supportedLDAPVersion : {3, 2} supportedSASLMechanisms : {GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the rootDSE information of FABRIKAM-ADLDS1 using the FABRIKAM\user1 credentials. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291051</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADServiceAccount</command:name><maml:description><maml:para>Gets one or more Active Directory managed service accounts or group managed service accounts.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADServiceAccount cmdlet gets a managed service account (MSA) or performs a search to retrieve MSAs. </maml:para><maml:para>The Identity parameter specifies the Active Directory MSA to get. You can identify a MSA by its distinguished name Members (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the parameter to a MSA object variable, such as $<localServiceaccountObject> or pass a MSA object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one MSA, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet gets a default set of MSA object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for service account objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADServiceAccount</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Distinguished Name Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADServiceAccount</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Distinguished Name Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue>Subtree</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more managed service account (MSA) objects. </maml:para><maml:para>This cmdlet returns a default set of ADService account property values. To retrieve additional ADService account properties, use the Properties parameter. </maml:para><maml:para>To view the properties for an ADService account object, see the following examples. To run these examples, replace <service account> with a MSA identifier such as the name of a MSA. </maml:para><maml:para>To get a list of the default set of properties of an ADService account object, use the following command: </maml:para><maml:para>Get-ADService account <service account>| Get-Member </maml:para><maml:para>To get a list of all the properties of an ADService account object, use the following command: </maml:para><maml:para>Get-ADService account <service account> -Properties ALL | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADServiceAccount -Identity service1 Enabled : True Name : service1 UserPrincipalName : SamAccountName : service1$ ObjectClass : msDS-ManagedServiceAccount SID : S-1-5-21-159507390-2980359153-3438059098-29770 ObjectGUID : eaa435ee-6ebc-44dd-b4b6-dc1bb5bcd23a HostComputers : DistinguishedName : CN=service1,CN=Managed Service Accounts,DC=contoso,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve Service-Account with samAccountName 'service1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADServiceAccount -Identity S-1-5-21-159507390-2980359153-3438059098-29770 Enabled : True Name : service1 UserPrincipalName : SamAccountName : service1$ ObjectClass : msDS-ManagedServiceAccount SID : S-1-5-21-159507390-2980359153-3438059098-29770 ObjectGUID : eaa435ee-6ebc-44dd-b4b6-dc1bb5bcd23a HostComputers : DistinguishedName : CN=service1,CN=Managed Service Accounts,DC=contoso,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve the managed service account with SID S-1-5-21-159507390-2980359153-3438059098-29770'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADServiceAccount -Filter {HostComputers -eq "CN=SQL-Server-1, DC=contoso,DC=com" } Enabled : True Name : service1 UserPrincipalName : SamAccountName : service1$ ObjectClass : msDS-ManagedServiceAccount SID : S-1-5-21-159507390-2980359153-3438059098-29770 ObjectGUID : eaa435ee-6ebc-44dd-b4b6-dc1bb5bcd23a HostComputers : {CN=SQL-Server-1, DC=contoso,DC=com} DistinguishedName : CN=service1,CN=Managed Service Accounts,DC=contoso,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Find the Managed Service Accounts installed on the computer "CN=SQL-Server-1,DC=contoso,DC=com". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291052</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Install-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Uninstall-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADTrust</command:name><maml:description><maml:para>Returns all trusted domain objects in the directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADTrust</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADTrust cmdlet returns all trusted domain objects in the directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADTrust</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADTrust</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: fabrikam.com,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrust</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADTrust</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="named" aliases=""><maml:name>InputObject</maml:name><maml:description><maml:para>Specifies an Active Directory input object. This parameter can accept one of the the following object types: </maml:para><maml:para>- ADForest </maml:para><maml:para>- ADDomain </maml:para><maml:para>- ADObject </maml:para><maml:para>The cmdlet will retrieve the corresponding ADTrust based on the input object specified. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Object</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADTrust</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: fabrikam.com,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrust</command:parameterValue><dev:type><maml:name>ADTrust</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="named" aliases=""><maml:name>InputObject</maml:name><maml:description><maml:para>Specifies an Active Directory input object. This parameter can accept one of the the following object types: </maml:para><maml:para>- ADForest </maml:para><maml:para>- ADDomain </maml:para><maml:para>- ADObject </maml:para><maml:para>The cmdlet will retrieve the corresponding ADTrust based on the input object specified. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Object</command:parameterValue><dev:type><maml:name>Object</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADTrust</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A trusted domain object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADTrust</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADTrust -Filter * </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the trusted domain objects in the forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADTrust -Filter {Target -eq "corp.contoso.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the trusted domain objects with 'corp.contoso.com' as the trust partner. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADTrust "corp.contoso.com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the trusted domain object with name 'corp.contoso.com' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291053</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADUser</command:name><maml:description><maml:para>Gets one or more Active Directory users.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADUser</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects. </maml:para><maml:para>The Identity parameter specifies the Active Directory user to get. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to a user object variable, such as $<localUserObject> or pass a user object through the pipeline to the Identity parameter. </maml:para><maml:para>To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. </maml:para><maml:para>This cmdlet retrieves a default set of user object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for user objects, see the Properties parameter description. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADUser</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADUser</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Get-ADUser</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Base</command:parameterValue><command:parameterValue required="true" variableLength="false">OneLevel</command:parameterValue><command:parameterValue required="true" variableLength="false">Subtree</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Filter</maml:name><maml:description><maml:para>Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter. </maml:para><maml:para>Syntax: </maml:para><maml:para>The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. </maml:para><maml:para><filter> ::= "{" <FilterComponentList> "}" </maml:para><maml:para><FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent> </maml:para><maml:para><FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")" </maml:para><maml:para><FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" </maml:para><maml:para><JoinOperator> ::= "-and" | "-or" </maml:para><maml:para><NotOperator> ::= "-not" </maml:para><maml:para><attr> ::= <PropertyName> | <LDAPDisplayName of the attribute> </maml:para><maml:para><value>::= <compare this value with an <attr> by using the specified <FilterOperator>> </maml:para><maml:para>For a list of supported types for <value>, see about_ActiveDirectory_ObjectModel. </maml:para><maml:para>Examples: </maml:para><maml:para>The following examples show how to use this syntax with Active Directory cmdlets. </maml:para><maml:para>To get all objects of the type specified by the cmdlet, use the asterisk wildcard: </maml:para><maml:para>All user objects: </maml:para><maml:para>Get-ADUser -Filter * </maml:para><maml:para>-or- </maml:para><maml:para>All computer objects: </maml:para><maml:para>Get-ADComputer -Filter * </maml:para><maml:para>To get all user objects that have an e-mail message attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -Filter {EmailAddress -like "*"} </maml:para><maml:para>Get-ADUser -Filter {mail -like "*"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADObject -Filter {(mail -like "*") -and (ObjectClass -eq "user")} </maml:para><maml:para>Note: PowerShell wildcards other than "*", such as "?" are not supported by the Filter syntax. </maml:para><maml:para>To get all users objects that have surname of Smith and that have an e-mail attribute, use one of the following commands: </maml:para><maml:para>Get-ADUser -filter {(EmailAddress -like "*") -and (Surname -eq "smith")} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADUser -filter {(mail -eq "*") -and (sn -eq "Smith")} </maml:para><maml:para>To get all user objects who have not logged on since January 1, 2007, use the following commands: </maml:para><maml:para>$logonDate = New-Object System.DateTime(2007, 1, 1) </maml:para><maml:para>Get-ADUser -filter { lastLogon -le $logonDate } </maml:para><maml:para>To get all groups that have a group category of Security and a group scope of Global, use one of the following commands: </maml:para><maml:para>Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} </maml:para><maml:para>-or- </maml:para><maml:para>Get-ADGroup -filter {GroupType -band 0x80000000} </maml:para><maml:para>Note: To query using LDAP query strings, use the LDAPFilter parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LDAPFilter</maml:name><maml:description><maml:para>Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter. </maml:para><maml:para>The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara". </maml:para><maml:para>-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA,DC=fabrikam,DC=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="Property"><maml:name>Properties</maml:name><maml:description><maml:para>Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. </maml:para><maml:para>Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk). </maml:para><maml:para>To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute. </maml:para><maml:para>To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object. </maml:para><maml:para>Get-ADGroup -Identity Administrators | Get-Member </maml:para><maml:para>To retrieve and display the list of all the properties for an ADGroup object, use the following command: </maml:para><maml:para>Get-ADGroup -Identity Administrators -Properties *| Get-Member </maml:para><maml:para>The following examples show how to use the Properties parameter to retrieve individual properties as well as the default, extended or complete set of properties. </maml:para><maml:para>To retrieve the extended properties "OfficePhone" and "Organization" and the default properties of an ADUser object named "SaraDavis", use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties OfficePhone,Organization </maml:para><maml:para>To retrieve the properties with LDAP display names of "otherTelephone" and "otherMobile", in addition to the default properties for the same user, use the following command: </maml:para><maml:para>GetADUser -Identity SaraDavis -Properties otherTelephone, otherMobile |Get-Member </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultPageSize</maml:name><maml:description><maml:para>Specifies the number of objects to include in one page for an Active Directory Domain Services query. </maml:para><maml:para>The default is 256 objects per page. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ResultPageSize 500 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>256</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResultSetSize</maml:name><maml:description><maml:para>Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects. </maml:para><maml:para>The default is $null. </maml:para><maml:para>The following example shows how to set this parameter so that you receive all of the returned objects. </maml:para><maml:para>-ResultSetSize $null </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchBase</maml:name><maml:description><maml:para>Specifies an Active Directory path to search under. </maml:para><maml:para>When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain. </maml:para><maml:para>When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value. </maml:para><maml:para>The following example shows how to set this parameter to search under an OU. </maml:para><maml:para>-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown. </maml:para><maml:para>The following example shows how to set this parameter to an empty string. -SearchBase "" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SearchScope</maml:name><maml:description><maml:para>Specifies the scope of an Active Directory search. Possible values for this parameter are: </maml:para><maml:para>Base or 0 </maml:para><maml:para>OneLevel or 1 </maml:para><maml:para>Subtree or 2 </maml:para><maml:para>A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object. </maml:para><maml:para>The following example shows how to set this parameter to a subtree search. </maml:para><maml:para>-SearchScope Subtree </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADSearchScope</command:parameterValue><dev:type><maml:name>ADSearchScope</maml:name><maml:uri /></dev:type><dev:defaultValue>Subtree</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A user object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more user objects. </maml:para><maml:para>This cmdlet returns a default set of ADUser property values. To retrieve additional ADUser properties, use the Properties parameter. </maml:para><maml:para>To get a list of the default set of properties of an ADUser object, use the following command: </maml:para><maml:para>Get-ADUser <user>| Get-Member </maml:para><maml:para>To get a list of the most commonly used properties of an ADUser object, use the following command: </maml:para><maml:para>Get-ADUser <user> -Properties Extended | Get-Member </maml:para><maml:para>To get a list of all the properties of an ADUser object, use the following command: </maml:para><maml:para>Get-ADUser <user> -Properties * | Get-Member </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all users under the container 'OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter 'Name -like "*SvcAccount"' | FT Name,SamAccountName -A Name SamAccountName ---- -------------- SQL01 SvcAccount SQL01 SQL02 SvcAccount SQL02 IIS01 SvcAccount IIS01 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all users that have a name that ends with 'SvcAccount'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser GlenJohn -Properties * Surname : John Name : Glen John UserPrincipalName : GivenName : Glen Enabled : False SamAccountName : GlenJohn ObjectClass : user SID : S-1-5-21-2889043008-4136710315-2444824263-3544 ObjectGUID : e1418d64-096c-4cb0-b903-ebb66562d99d DistinguishedName : CN=Glen John,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all properties of the user with samAccountName 'GlenJohn'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter {Name -eq "GlenJohn"} -SearchBase "DC=AppNC" -Properties mail -Server lds.Fabrikam.com:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the user with name 'GlenJohn' on the AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291054</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADUser</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-ADUserResultantPasswordPolicy</command:name><maml:description><maml:para>Gets the resultant password policy for a user.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>ADUserResultantPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-ADUserResultantPasswordPolicy gets the resultant password policy object (RSoP) for a user. The RSoP is defined by the Active Directory attribute named msDS-ResultantPSO. </maml:para><maml:para>A user can have multiple password policy objects (PSOs) associated with it, but only one PSO is the RSoP. A PSO is associated with a user when the PSO applies directly to the user or when the PSO applies to an Active Directory group that contains the user. When more than one PSO policy is associated with a user or group, the RSoP value defines the PSO to apply. </maml:para><maml:para>The resultant password policy or RSoP for a user is determined by using the following procedure. </maml:para><maml:para>- If only one PSO is associated with a user, this PSO is the RSoP. </maml:para><maml:para>- If more than one PSO is associated with a user, the PSO that applies directly to the user is the RSoP. </maml:para><maml:para>- If more than one PSO applies directly to the user, the PSO with the lowest msDS-PasswordSettingsPrecedence attribute value is the RSoP and this event is logged as a warning in the Active Directory event log. The lowest attribute value represents the highest PSO precedence. For example, if the msDS-PasswordSettingsPrecedence values of two PSOs are 100 and 200, the PSO with the attribute value of 100 is the RSoP. </maml:para><maml:para>- If there are no PSOs that apply directly to the user, the PSOs of the global security groups that have the user as a member are compared. The PSO with the lowest msDS-PasswordSettingsPrecedence value is the RSoP. </maml:para><maml:para>The Identity parameter specifies the Active Directory user. You can identify a user by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a user object variable, such as $<localUserObject> or pass a user object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Get-ADUserResultantPasswordPolicy cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-ADUserResultantPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A user object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns a fine grained password policy object that represents the resultant password policy for the user. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUserResultantPasswordPolicy BobKe Name : DomainUsersPSO ComplexityEnabled : True LockoutThreshold : 10 ReversibleEncryptionEnabled : False LockoutDuration : 12:00:00 LockoutObservationWindow : 00:15:00 MinPasswordLength : 8 Precedence : 500 ObjectGUID : f8d2653c-9b3b-499e-b272-4c7f4268df4c ObjectClass : msDS-PasswordSettings PasswordHistoryCount : 24 MinPasswordAge : 1.00:00:00 MaxPasswordAge : 60.00:00:00 AppliesTo : {CN=Domain Users,CN=Users,DC=FABRIKAM,DC=COM} DistinguishedName : CN=DomainUsersPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the resultant password policy for the user with samAccountName 'BobKe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291055</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Grant-ADAuthenticationPolicySiloAccess</command:name><maml:description><maml:para>Grants permission to join an authentication policy silo.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Grant</command:verb><command:noun>ADAuthenticationPolicySiloAccess</command:noun><dev:version /></command:details><maml:description><maml:para>The Grant-ADAuthenticationPolicySiloAccess cmdlet grants permission to an account to join an authentication policy silo in Active Directory® Domain Services.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Grant-ADAuthenticationPolicySiloAccess</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an ADAuthenticationPolicySilo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Account</maml:name><maml:description><maml:para>Specifies the account to which to grant access to the authentication policy silo. Specify the account in one of the following formats: -- Distinguished Name -- GUID -- Security Identifier -- SAM Account Name </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>You can also use this parameter to specify a variable that contains user, computer, and service account objects.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Account</maml:name><maml:description><maml:para>Specifies the account to which to grant access to the authentication policy silo. Specify the account in one of the following formats: -- Distinguished Name -- GUID -- Security Identifier -- SAM Account Name </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>You can also use this parameter to specify a variable that contains user, computer, and service account objects.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an ADAuthenticationPolicySilo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount, Microsoft.ActiveDirectory.Management.ADAuthenticationPolicySilo</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Grant access to an authentication policy silo to a user account</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Grant-ADAuthenticationPolicySiloAccess -Identity AuthenticationPolicySilo01 -Account User01 </dev:code><dev:remarks><maml:para>This command grants access to the authentication policy silo named AuthenticationPolicySilo01 to the user account named User01.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: grant access to an authentication policy silo for filter matches</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADComputer -Filter 'Name -like "newComputer*"' | Grant-ADAuthenticationPolicySiloAccess -Identity AuthenticationPolicySilo01 </dev:code><dev:remarks><maml:para>This example first uses the Get-ADComputer cmdlet to get a list of computers that match the filter specified by the Filter parameter. The output is then passed to the Grant-ADAuthenticationPolicySiloAccess to grant access to the authentication policy silo named AuthenticationPolicySilo02. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=288446</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Revoke-ADAuthenticationPolicySiloAccess</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Install-ADServiceAccount</command:name><maml:description><maml:para>Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Install</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Install-ADServiceAccount cmdlet installs an existing Active Directory managed service account (MSA) on the computer on which the cmdlet is run. This cmdlet verifies that the computer is eligible to host the MSA. The cmdlet also makes the required changes locally so that the MSA password can be managed without requiring any user action. </maml:para><maml:para>The Identity parameter specifies the Active Directory MSA to install. You can identify a MSA by its distinguished name Members (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a MSA object variable, such as $<localServiceaccountObject> or pass a MSA object through the pipeline to the Identity parameter. For example, you can use Get-ADServiceAccount to get a MSA object and then pass the object through the pipeline to the Install-ADServiceAccount. </maml:para><maml:para>The AccountPassword parameter allows you to pass a SecureString that contains the password of a standalone MSA and is ignored for group MSAs. Alternatively you can use PromptForPassword switch parameter to be prompted for the standalone MSA password. You need to enter the password of a standalone MSA if you want to install an account that you have pre-provisioned early on. This is required when you are installing a standalone MSA on a server located on a segmented network (site) with no access to writable DCs but only RODCs (e.g. perimeter network or DMZ). In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs. If you pass both AccountPassword and PromptForPassword parameters the AccountPassword parameter takes precedence. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Install-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>The AccountPassword SecureString parameter will allow you to inline pass-in the password of a standalone Managed Service Account (MSA) that you have pre-provisioned early on and is ignored for group MSAs. This is required when you are installing a standalone MSA on a server located on a segmented network (site) with no access to writable DCs but only RODCs (e.g. perimeter network or DMZ). In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs. If you pass both AccountPassword and PromptForPassword parameters the AccountPassword parameter takes precedence. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>Forces installation of the service account. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PromptForPassword</maml:name><maml:description><maml:para>The PromptForPassword switch parameter will allow you to enter the password of a standalone Managed Service Account (MSA) that you have pre-provisioned early on and ignored for group MSAs. This is required when you are installing a standalone MSA on a server located on a segmented network (site) with no access to writable DCs but only RODCs (e.g. perimeter network or DMZ). In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs. If you pass both AccountPassword and PromptForPassword parameters the AccountPassword parameter takes precedence. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>The AccountPassword SecureString parameter will allow you to inline pass-in the password of a standalone Managed Service Account (MSA) that you have pre-provisioned early on and is ignored for group MSAs. This is required when you are installing a standalone MSA on a server located on a segmented network (site) with no access to writable DCs but only RODCs (e.g. perimeter network or DMZ). In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs. If you pass both AccountPassword and PromptForPassword parameters the AccountPassword parameter takes precedence. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue><dev:type><maml:name>SecureString</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>Forces installation of the service account. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PromptForPassword</maml:name><maml:description><maml:para>The PromptForPassword switch parameter will allow you to enter the password of a standalone Managed Service Account (MSA) that you have pre-provisioned early on and ignored for group MSAs. This is required when you are installing a standalone MSA on a server located on a segmented network (site) with no access to writable DCs but only RODCs (e.g. perimeter network or DMZ). In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs. If you pass both AccountPassword and PromptForPassword parameters the AccountPassword parameter takes precedence. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>To successfully install a service account, the service account should have the -PrincipalsAllowedToRetrieveManagedPassword parameter option set first by using either the New-ADServiceAccount or Set-ADServiceAccount cmdlet first. Otherwise, installation will fail.</maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Install-ADServiceAccount -Identity 'SQL-HR-svc-01' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Install a Managed Service Account with name 'SQL-HR-svc-01' on the local computer. (If a Group Managed Service Account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$a = Get-ADServiceAccount -Filter { Name -eq 'SQL-HR-svc-01'} Install-ADServiceAccount $a </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get a Managed Service Account with name 'SQL-HR-svc-01' from the default directory and install it on the local machine. (If a Group Managed Service Account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Install-ADServiceAccount -Identity 'SQL-HR-svc-01' -PromptForPassword Please enter the current password for 'CN=SQL-HR-svc-01,CN=Managed Service Accounts,DC=contoso,DC=com' Password: ******* </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Installs a standalone Managed Service Account with name 'SQL-HR-svc-01' in a RODC-only site with not access to writable DCs. (If a Group Managed Service Account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Install-ADServiceAccount -Identity 'SQL-HR-svc-01' -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Installs a standalone Managed Service Account with name 'SQL-HR-svc-01' in a RODC-only site with not access to writable DCs passing the account password as a secure string. (If a Group Managed Service Account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291056</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Reset-ADServiceAccountPassword</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Uninstall-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Move-ADDirectoryServer</command:name><maml:description><maml:para>Moves a directory server in Active Directory to a new site. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Move</command:verb><command:noun>ADDirectoryServer</command:noun><dev:version /></command:details><maml:description><maml:para>The Move-ADDirectoryServer cmdlet moves a directory server in Active Directory to a new site within the same domain. </maml:para><maml:para>The Identity parameter specifies the directory server to move. You can specify a directory server object by one of the following values: </maml:para><maml:para>Name of the server object (name) </maml:para><maml:para>Distinguished Name (DN) of the NTDS Settings object </maml:para><maml:para>Distinguished Name (DN) of the server object that represents the directory server </maml:para><maml:para>GUID (objectGUID) of server object under the configuration partition </maml:para><maml:para>GUID (objectGUID) of NTDS settings object under the configuration partition </maml:para><maml:para>You can also set the Identity parameter to a directory server object variable such as $<localDirectoryServerObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController to get a directory server object and then pass that object through the pipeline to the Move-ADDirectoryServer cmdlet. </maml:para><maml:para>The Site parameter specifies the new site for the directory server. You can identify a site by its distinguished name (DN) or GUID. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Move-ADDirectoryServer</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory server object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Name of the server object (name) </maml:para><maml:para>For AD LDS instances the syntax is of a name is <computer-name>$<instance-name> </maml:para><maml:para>Example: asia-w7-vm4$instance1 </maml:para><maml:para>Note: When you type this value in Windows PowerShell, you must use the backtick (`) as an escape character for the dollar sign ($). Therefore, for the previous example you would type the following: asia-w7-vm4`$instance1 </maml:para><maml:para>For other Active Directory instances, use the value of the name property </maml:para><maml:para>Example: corp-DC01 </maml:para><maml:para>Distinguished Name of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-BC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name of the server object that represents the directory server </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>GUID (objectGUID) of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a directory server object instance named "directoryServerInstance". </maml:para><maml:para>-Identity $directoryServerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Site</maml:name><maml:description><maml:para>Specifies the new site for the directory server. You can identify the site by one of the following property values. Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished name (DN) </maml:para><maml:para>Example: CN= NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (ObjectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: NA-CAN-QBC </maml:para><maml:para>The following example shows how use this parameter to specify a site object by using the site name. </maml:para><maml:para>-Site "NA-CAN-QBC" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory server object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Name of the server object (name) </maml:para><maml:para>For AD LDS instances the syntax is of a name is <computer-name>$<instance-name> </maml:para><maml:para>Example: asia-w7-vm4$instance1 </maml:para><maml:para>Note: When you type this value in Windows PowerShell, you must use the backtick (`) as an escape character for the dollar sign ($). Therefore, for the previous example you would type the following: asia-w7-vm4`$instance1 </maml:para><maml:para>For other Active Directory instances, use the value of the name property </maml:para><maml:para>Example: corp-DC01 </maml:para><maml:para>Distinguished Name of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-BC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name of the server object that represents the directory server </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>GUID (objectGUID) of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a directory server object instance named "directoryServerInstance". </maml:para><maml:para>-Identity $directoryServerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue><dev:type><maml:name>ADDirectoryServer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Site</maml:name><maml:description><maml:para>Specifies the new site for the directory server. You can identify the site by one of the following property values. Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished name (DN) </maml:para><maml:para>Example: CN= NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (ObjectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: NA-CAN-QBC </maml:para><maml:para>The following example shows how use this parameter to specify a site object by using the site name. </maml:para><maml:para>-Site "NA-CAN-QBC" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A directory server object is received b y the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADDirectoryServer -Identity "FABRIKAM-DC2" -Site "Branch-Office-Site" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Move the domain controller "FABRIKAM-DC2" to the site "Branch-Office-Site". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomainController -Filter {IsReadOnly -eq $true} | Move-ADDirectoryServer -site "RODC-Site-Name" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Move all Read Only Domain Controllers to the site "RODC-Site-Name". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291057</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Move-ADDirectoryServerOperationMasterRole</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Move-ADDirectoryServerOperationMasterRole</command:name><maml:description><maml:para>Moves operation master roles to an Active Directory directory server. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Move</command:verb><command:noun>ADDirectoryServerOperationMasterRole</command:noun><dev:version /></command:details><maml:description><maml:para>The Move-ADDirectoryServerOperationMasterRole cmdlet moves one or more operation master roles to a directory server. You can move operation master roles to a directory server in a different domain if the credentials are the same in both domains. </maml:para><maml:para>The Identity parameter specifies the directory server that receives the roles. You can specify a directory server object by one of the following values: </maml:para><maml:para>Name of the server object (name) </maml:para><maml:para>Distinguished Name (DN) of the NTDS Settings object </maml:para><maml:para>Distinguished Name (DN) of the server object that represents the directory server </maml:para><maml:para>GUID (objectGUID) of server object under the configuration partition </maml:para><maml:para>GUID (objectGUID) of NTDS settings object under the configuration partition </maml:para><maml:para>For AD LDS instances the syntax for the server object name is <computer-name>$<instance-name>. The following is an example of this syntax: </maml:para><maml:para>asia-w7-vm4$instance1 </maml:para><maml:para>When you type this value in Windows PowerShell, you must use the backtick (`) as an escape character for the dollar sign ($). Therefore, for this example, you would type the following: </maml:para><maml:para>asia-w7-vm4`$instance1 </maml:para><maml:para>You can also set the parameter to a directory server object variable, such as $<localDirectoryServerObject>. </maml:para><maml:para>The Move-ADDirectoryServerOperationMasteRole cmdlet provides two options for moving operation master roles: </maml:para><maml:para>1. Role transfer, which involves transferring roles to be moved by running the cmdlet using the Identity parameter to specify the current role holder and the OperationMasterRole parameter to specify the roles for transfer. This is the recommended option. </maml:para><maml:para>Operation roles include PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, or DomainNamingMaster. To specify more than one role, use a comma-separated list. </maml:para><maml:para>2. Role seizure, which involves seizing roles you previously attempted to transfer by running the cmdlet a second time using the same parameters as the transfer operation, and adding the Force parameter. The Force parameter must be used as a switch to indicate that seizure (instead of transfer) of operation master roles is being performed. This operation still attempts graceful transfer first, then seizes if transfer is not possible. </maml:para><maml:para>Unlike using Ntdsutil.exe to move operation master roles, the Move-ADDirectoryServerOperationMasteRole cmdlet can be remotely executed from any domain joined computer where the Active Directory PowerShell administration module is installed and available for use. This can make the process of moving roles simpler and easier to centrally administer as each of the two command operations required can be run remotely and do not have to be locally executed at each of the corresponding role holders involved in the movement of the roles (i.e. role transfer only allowed at the old role holder, role seizure only allowed at the new role holder). </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Move-ADDirectoryServerOperationMasterRole</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory server object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Name of the server object (name) </maml:para><maml:para>For AD LDS instances the syntax is of a name is <computer-name>$<instance-name> </maml:para><maml:para>Example: asia-w7-vm4$instance1 </maml:para><maml:para>Note: When you type this value in Windows PowerShell, you must use the backtick (`) as an escape character for the dollar sign ($). Therefore, for the previous example you would type the following: asia-w7-vm4`$instance1 </maml:para><maml:para>For other Active Directory instances, use the value of the name property </maml:para><maml:para>Example: corp-DC01 </maml:para><maml:para>Distinguished Name of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-BC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name of the server object that represents the directory server </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>GUID (objectGUID) of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a directory server object instance named "directoryServerInstance". </maml:para><maml:para>-Identity $directoryServerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>OperationMasterRole</maml:name><maml:description><maml:para>Specifies one or more operation master roles to move to the specified directory server in Active Directory Domain Services. Possible values for this parameter include: </maml:para><maml:para>PDCEmulator or 0 </maml:para><maml:para>RIDMaster or 1 </maml:para><maml:para>InfrastructureMaster or 2 </maml:para><maml:para>SchemaMaster or 3 </maml:para><maml:para>DomainNamingMaster or 4 </maml:para><maml:para>To specify multiple operation master roles, use a comma-separated list. </maml:para><maml:para>The following example shows how to specify this parameter so that the SchemaMaster and DomainNamingMaster roles are moved. </maml:para><maml:para>-OperationMasterRole SchemaMaster, 4 </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="true">PDCEmulator</command:parameterValue><command:parameterValue required="true" variableLength="true">RIDMaster</command:parameterValue><command:parameterValue required="true" variableLength="true">InfrastructureMaster</command:parameterValue><command:parameterValue required="true" variableLength="true">SchemaMaster</command:parameterValue><command:parameterValue required="true" variableLength="true">DomainNamingMaster</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>This parameter is used for seize operations on domain controllers with the flexible single master operations (FSMO) role. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>This parameter is used for seize operations on domain controllers with the flexible single master operations (FSMO) role. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory server object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Name of the server object (name) </maml:para><maml:para>For AD LDS instances the syntax is of a name is <computer-name>$<instance-name> </maml:para><maml:para>Example: asia-w7-vm4$instance1 </maml:para><maml:para>Note: When you type this value in Windows PowerShell, you must use the backtick (`) as an escape character for the dollar sign ($). Therefore, for the previous example you would type the following: asia-w7-vm4`$instance1 </maml:para><maml:para>For other Active Directory instances, use the value of the name property </maml:para><maml:para>Example: corp-DC01 </maml:para><maml:para>Distinguished Name of the NTDS Settings object </maml:para><maml:para>Example: CN=NTDS Settings,CN=CORP-DC12,CN=Servers,CN=NA-CAN-BC,CN=Sites,CN=Configuration,DC=corp,DC=contoso </maml:para><maml:para>Distinguished Name of the server object that represents the directory server </maml:para><maml:para>Example: CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) of server object under the configuration partition </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>GUID (objectGUID) of NTDS settings object under the configuration partition </maml:para><maml:para>Example: 768c44de-f72d-66e0-8a88-0523ca495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=CORP-DC12,CN=Servers,CN=NA-CAN-QBC,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a directory server object instance named "directoryServerInstance". </maml:para><maml:para>-Identity $directoryServerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue><dev:type><maml:name>ADDirectoryServer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>OperationMasterRole</maml:name><maml:description><maml:para>Specifies one or more operation master roles to move to the specified directory server in Active Directory Domain Services. Possible values for this parameter include: </maml:para><maml:para>PDCEmulator or 0 </maml:para><maml:para>RIDMaster or 1 </maml:para><maml:para>InfrastructureMaster or 2 </maml:para><maml:para>SchemaMaster or 3 </maml:para><maml:para>DomainNamingMaster or 4 </maml:para><maml:para>To specify multiple operation master roles, use a comma-separated list. </maml:para><maml:para>The following example shows how to specify this parameter so that the SchemaMaster and DomainNamingMaster roles are moved. </maml:para><maml:para>-OperationMasterRole SchemaMaster, 4 </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADOperationMasterRole[]</command:parameterValue><dev:type><maml:name>ADOperationMasterRole[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue>See notes</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A directory server object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDirectoryServer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified directory server object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADDirectoryServerOperationMasterRole "FABRIKAM-DC1" PDCEmulator </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Move the PDC Emulator role to the Domain Controller "FABRIKAM-DC1". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADDirectoryServerOperationMasterRole -Identity "FABRIKAM-DC2" -OperationMasterRole PDCEmulator,SchemaMaster </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Move the PDC Emulator and Schema Master roles to the Domain Controller "FABRIKAM-DC2". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADDirectoryServerOperationMasterRole Fabrikam-DC`$instance1 -OperationMasterRole schemaMaster -server Fabrikam-DC:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Move the schema master FSMO owner to the AD LDS instance "instance1' on the server "Fabrikam-DC". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADDirectoryServerOperationMasterRole -Identity FABRIKAM-DC1 -OperationMasterRole RIDMaster,InfrastructureMaster,DomainNamingMaster -Force </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Seizes the specified roles (RID master, infrastructure master, domain naming master). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$server = Get-ADDomainController -Identity "TK5-CORP-DC-10.fabrikam.com" PS C:\>Move-ADDirectoryServerOperationMasterRole -Identity $server -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Transfers the flexible single master operations (FSMO) role to the specified domain controller. When using the fully qualified domain name (FQDN) to identify the domain controller, the Get-ADDomainController cmdlet must be used first as a preliminary step. There is a known issue where the Move-ADDirectoryServerOperationMasterRole cmdlet fails when an FQDN is specified directly as the value of the -Identity parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291058</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Move-ADDirectoryServer</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Move-ADObject</command:name><maml:description><maml:para>Moves an Active Directory object or a container of objects to a different container or domain. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Move</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Move-ADObject cmdlet moves an object or a container of objects from one container to another or from one domain to another. </maml:para><maml:para>The Identity parameter specifies the Active Directory object or container to move. You can identify an object or container by its distinguished name (DN) or GUID. You can also set the Identity parameter to an object variable such as $<localObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADObject cmdlet to retrieve an object and then pass the object through the pipeline to the Move-ADObject cmdlet. You can also use the Get-ADGroup, Get-ADUser, Get-ADComputer, Get-ADServiceAccount, Get-ADOrganizationalUnit and Get-ADFineGrainedPasswordPolicy cmdlets to get an object that you can pass through the pipeline to this cmdlet. </maml:para><maml:para>The TargetPath parameter must be specified. This parameter identifies the new location for the object or container. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Move-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>TargetPath</maml:name><maml:description><maml:para>Specifies the new location for the object. This location must be the path to a container or organizational unit. </maml:para><maml:para>The following example shows how to specify a target path by providing the distinguished name. </maml:para><maml:para>-TargetPath "ou=sales,dc=corp,dc=contoso,dc=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TargetServer</maml:name><maml:description><maml:para>Specifies the Active Directory instance to use by providing the following value for a corresponding domain name or directory server. </maml:para><maml:para>Note: A cross domain move requires a FQDN server name. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name (FQDN) </maml:para><maml:para>Examples: contoso.com </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: server01.europe.contoso.com </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: server01.europe.contoso.com:3268 </maml:para><maml:para>The following example shows how to specify a target server by specifying the fully-qualified directory server name. </maml:para><maml:para>-TargetServer "server01.europe.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>TargetPath</maml:name><maml:description><maml:para>Specifies the new location for the object. This location must be the path to a container or organizational unit. </maml:para><maml:para>The following example shows how to specify a target path by providing the distinguished name. </maml:para><maml:para>-TargetPath "ou=sales,dc=corp,dc=contoso,dc=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TargetServer</maml:name><maml:description><maml:para>Specifies the Active Directory instance to use by providing the following value for a corresponding domain name or directory server. </maml:para><maml:para>Note: A cross domain move requires a FQDN server name. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name (FQDN) </maml:para><maml:para>Examples: contoso.com </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: server01.europe.contoso.com </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: server01.europe.contoso.com:3268 </maml:para><maml:para>The following example shows how to specify a target server by specifying the fully-qualified directory server name. </maml:para><maml:para>-TargetServer "server01.europe.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.AObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADObject -Identity "OU=ManagedGroups,DC=Fabrikam,DC=Com" -TargetPath "OU=Managed,DC=Fabrikam,DC=Com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Moves the Organizational Unit 'ManagedGroups' to a new location. The OU 'ManagedGroups' must NOT be protected from accidental deletion for the successful move. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADObject "8d0bcc44-c826-4dd8-af5c-2c69960fbd47" -TargetPath "OU=Managed,DC=Fabrikam,DC=Com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Moves the object identified by the specified GUID to the new location. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADObject "8d0bcc44-c826-4dd8-af5c-2c69960fbd47" -TargetPath "1c2ea8a8-c2b7-4a87-8190-0e8a166aee16" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Moves an object to a new location. Both the object and the target path are specified using GUIDs. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADObject -Identity "CN=Peter Bankov,OU=Accounting,DC=Fabrikam,DC=com" -TargetPath "OU=Accounting,DC=Europe,DC=Fabrikam,DC=com" -TargetServer "server01.europe.fabrikam.com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Moves an object with DistinguishedName 'CN=Peter Bankov,OU=Accounting,DC=Fabrikam,DC=com' to a different domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Move-ADObject -Identity "CN=AccountLeads,DC=AppNC" -TargetPath "OU=AccountDeptOU,DC=AppNC" -server "FABRIKAM-SRV1:60000" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Moves an object to a new location within an LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291059</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Rename-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Restore-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADAuthenticationPolicy</command:name><maml:description><maml:para>Creates an Active Directory Domain Services authentication policy object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADAuthenticationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADAuthenticationPolicy creates an authentication policy object in Active Directory® Domain Services. </maml:para><maml:para>Commonly used attributes of the object can be specified by the parameters of this cmdlet. To set attributes for the object that are not represented by the parameters of this cmdlet, specify the OtherAttributes parameter. </maml:para><maml:para>You can use the pipeline operator and the <maml:navigationLink><maml:linkText>Import-Csv</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet to pass a list for bulk creation of objects in the directory. You can also specify a template object by using the Instance parameter to create objects from a template.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADAuthenticationPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory Domain Services object. The LDAP Display Name (ldapDisplayName) of this property is "name".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComputerAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the security descriptor definition language (SDDL) string of the security descriptor used to determine if the computer can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComputerTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable ticket granting tickets (TGTs) for computer accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates that the authentication policy is enforced. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an ADAuthenticationPolicy object to use as a template for a new ADAuthenticationPolicy object. To get the ADAuthenticationPolicy object to use as a template, use the Get-ADAuthenticationPolicy cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies a list of object attribute values for attributes that are not represented by other parameters. You can set one or more attributes at the same time with this parameter, and if an attribute takes more than one value you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the service can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the service can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for service accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the users can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the users can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for user accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComputerAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the security descriptor definition language (SDDL) string of the security descriptor used to determine if the computer can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComputerTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable ticket granting tickets (TGTs) for computer accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates that the authentication policy is enforced. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an ADAuthenticationPolicy object to use as a template for a new ADAuthenticationPolicy object. To get the ADAuthenticationPolicy object to use as a template, use the Get-ADAuthenticationPolicy cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory Domain Services object. The LDAP Display Name (ldapDisplayName) of this property is "name".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies a list of object attribute values for attributes that are not represented by other parameters. You can set one or more attributes at the same time with this parameter, and if an attribute takes more than one value you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the service can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the service can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for service accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the users can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the users can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for user accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>System.String: System.Nullable`1[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], System.Management.Automation.SwitchParameter: System.Nullable`1[[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Create an authentication policy with a user TGT lifetime</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> New-ADAuthenticationPolicy AuthenticationPolicy01 -UserTGTLifetimeMins 60 </dev:code><dev:remarks><maml:para>This command creates an authentication policy object named AuthenticationPolicy01 and sets the TGT lifetime for a user account to 60 minutes. Because the Enforce parameter is not specified, the authentication policy created is in audit mode. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Create an enforced authentication policy </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> New-ADAuthenticationPolicy AuthenticationPolicy02 -Enforce </dev:code><dev:remarks><maml:para>This command creates an authentication policy named AuthenticationPolicy02 and enforces it by specifying the Enforce parameter.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 3: </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Get-Acl .\someFile.txt).sddl </dev:code><dev:remarks><maml:para>This command creates an authentication policy named TestAuthenticationPolicy. The UserAllowedToAuthenticationFrom parameter specifies the devices from which users are allowed to authenticate by an SDDL string in the file named someFile.txt</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=288462</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADAuthenticationPolicySilo</command:name><maml:description><maml:para>Creates an Active Directory Domain Services authentication policy silo object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADAuthenticationPolicySilo</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADAuthenticationPolicySilo cmdlet creates an authentication policy silo object in Active Directory® Domain Services. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADAuthenticationPolicySilo</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory Domain Services object. The LDAP Display Name (ldapDisplayName) of this property is "name".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComputerAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to computer accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates that the authentication policy silo is enforced.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an ADAuthenticationPolicySilo object to use as a template for a new ADAuthenticationPolicySilo object. To get the ADAuthenticationPolicySilo object to use as a template, use the Get-ADAuthenticationPolicySilo cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies a list of object attribute values for attributes that are not represented by other parameters. You can set one or more attributes at the same time with this parameter, and if an attribute takes more than one value you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to managed service accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to user accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComputerAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to computer accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates that the authentication policy silo is enforced.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an ADAuthenticationPolicySilo object to use as a template for a new ADAuthenticationPolicySilo object. To get the ADAuthenticationPolicySilo object to use as a template, use the Get-ADAuthenticationPolicySilo cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory Domain Services object. The LDAP Display Name (ldapDisplayName) of this property is "name".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies a list of object attribute values for attributes that are not represented by other parameters. You can set one or more attributes at the same time with this parameter, and if an attribute takes more than one value you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServiceAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to managed service accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to user accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAuthenticationPolicy, System.String, System.Management.Automation.SwitchParameter: System.Nullable`1[[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Create an authentication policy silo and enforce it</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADAuthenticationPolicySilo -Name AuthenticationPolicySilo01 –Enforce </dev:code><dev:remarks><maml:para>This command creates an authentication policy silo object and enforces it.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Create an authentication policy silo without enforcement</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADAuthenticationPolicySilo -Name AuthenticationPolicySilo02 </dev:code><dev:remarks><maml:para>This command creates an authentication policy silo object but does not enforce it.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=290130</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADCentralAccessPolicy</command:name><maml:description><maml:para>Creates a new central access policy in Active Directory containing a set of central access rules. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADCentralAccessPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADCentralAccessPolicy cmdlet creates a new central access policy in Active Directory. A central access policy in Active Directory contains a set of central access rules. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADCentralAccessPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Finance Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Finance Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object that is a template for the new object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new central access policy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$departmentResourceProperty = Get-ADResourceProperty Department $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})" New-ADCentralAccessRule "Finance Documents Rule" -ResourceCondition $resourceCondition </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new central access rule named "Finance Documents Rule" with a new resource condition. The resource condition scopes the resources to ones containing the value 'Finance' in their 'Department' resource property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$countryClaimType = Get-ADClaimType Country; $departmentClaimType = Get-ADClaimType Department; $countryResourceProperty = Get-ADResourceProperty Country; $departmentResourceProperty = Get-ADResourceProperty Department; $financeException = Get-ADGroup FinanceException; $financeAdmin = Get-ADGroup FinanceAdmin; $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})" $currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;" + $financeException.SID.Value + ")(A;;0x1301bf;;;" + $financeAdmin.SID.Value + ")(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER." + $countryClaimType.Name + " Any_of @RESOURCE." + $countryResourceProperty.Name + ") && (@USER." + $departmentClaimType.Name + " Any_of @RESOURCE." + $departmentResourceProperty.Name + ")))"; Set-ADCentralAccessRule "Finance Documents Rule" -ResourceCondition $resourceCondition -CurrentAcl $currentAcl </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new central access rule named "Finance Documents Rule" with a new resource condition and new permissions. </maml:para><maml:para>The new rule specifies that documents should only be read by members of the Finance department. Members of the Finance department should only be able to access documents in their own country. Only Finance Administrators should have write access. The rule allows an exception for members of the FinanceException group. This group will have read access. </maml:para><maml:para>Targeting: Resource.Department Contains Finance </maml:para><maml:para>Access rules: Allow Read User.Country=Resource.Country AND User.department = Resource.Department Allow Full control User.MemberOf(FinanceAdmin) Allow Read User.Country=Resource.Country AND User.department = Resource.DepartmentAllow Read User.MemberOf(FinanceException) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy "Finance Policy" | New-ADCentralAccessPolicy "Human Resources Policy" -Description "For the Human Resources Department." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new central access policy named "Human Resources Policy" using the property values from 'Finance Policy', and set the description to "For the Human Resources Department." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291060</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADCentralAccessRule</command:name><maml:description><maml:para>Creates a new central access rule in Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADCentralAccessRule</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADCentralAccessRule cmdlet creates a new central access rule in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADCentralAccessRule</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CurrentAcl</maml:name><maml:description><maml:para>This parameter specifies the currently effective access control list (ACL) of the rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProposedAcl</maml:name><maml:description><maml:para>This parameter specifies the proposed accessed control list (ACL) of the rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ResourceCondition</maml:name><maml:description><maml:para>This parameter specifies the resource condition of the rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CurrentAcl</maml:name><maml:description><maml:para>This parameter specifies the currently effective access control list (ACL) of the rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue><dev:type><maml:name>ADCentralAccessRule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProposedAcl</maml:name><maml:description><maml:para>This parameter specifies the proposed accessed control list (ACL) of the rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ResourceCondition</maml:name><maml:description><maml:para>This parameter specifies the resource condition of the rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessRule</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object that is a template for the new object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessRule</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new central access rule object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADCentralAccessRule "Finance Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new central access rule named 'Finance Documents Rule'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291061</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText></maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADClaimTransformPolicy</command:name><maml:description><maml:para>Creates a new claim transformation policy object in Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADClaimTransformPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADClaimTransformPolicy cmdlet creates a new claims transformation policy object in Active Directory. A claims transformation policy object contains a set of rules authored in the transformation rule language. After creating a policy object, you can link it with a forest trust to apply the claims transformation to the trust. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Allow All Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would allow all claims to be sent or received. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Allow All Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would allow all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Allow All Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DenyAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would deny all claims to be sent or received. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Allow All Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DenyAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would deny all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Allow All Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new claims transformation policy object. </maml:para><maml:para>You can use an instance of an existing claims transformation policy object as a template or you can construct a new claims transformation policy object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claims transformation policy object. </maml:para><maml:para>Method 1: Use an existing claims transformation policy object as a template for a new object. To retrieve an instance of an existing claims transformation policy object, use a cmdlet such as Get-ADClaimsTransformationPolicy. Then provide this object to the Instance parameter of the New-ADClaimsTransformationPolicy cmdlet to create a new claims transformation policy object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimsTransformationPolicy -Identity "Allow All except Finance Policy" </maml:para><maml:para>New-ADClaimsTransformationPolicy -Name "Allow All Except Pii Policy" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADClaimsTransformationPolicy and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimsTransformationPolicy cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimsTransformationPolicy $objectInstance.Description = "For finance only." </maml:para><maml:para>New-ADClaimsTransformationPolicy -Name "Deny All except Finance Policy" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Rule</maml:name><maml:description><maml:para>Represents the claims transformation rule. To specify the rule, you can either (1) type the rule in a text file, and then pass the file to the cmdlet (recommended), or (2) type the rule inline. </maml:para><maml:para>For example, the following commands demonstrate how to create a new claims transformation policy object with the rule specified in a text file named Rule.txt located in a temporary folder C:\temp. </maml:para><maml:para>$rule = Get-Content C:\temp\rule.txt; </maml:para><maml:para>New-ADClaimTransformPolicy MyRule -Rule $rule </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would allow all claims to be sent or received. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would allow all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue><dev:type><maml:name>ADClaimType[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DenyAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would deny all claims to be sent or received. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DenyAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that would deny all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue><dev:type><maml:name>ADClaimType[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new claims transformation policy object. </maml:para><maml:para>You can use an instance of an existing claims transformation policy object as a template or you can construct a new claims transformation policy object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claims transformation policy object. </maml:para><maml:para>Method 1: Use an existing claims transformation policy object as a template for a new object. To retrieve an instance of an existing claims transformation policy object, use a cmdlet such as Get-ADClaimsTransformationPolicy. Then provide this object to the Instance parameter of the New-ADClaimsTransformationPolicy cmdlet to create a new claims transformation policy object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimsTransformationPolicy -Identity "Allow All except Finance Policy" </maml:para><maml:para>New-ADClaimsTransformationPolicy -Name "Allow All Except Pii Policy" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADClaimsTransformationPolicy and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimsTransformationPolicy cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimsTransformationPolicy $objectInstance.Description = "For finance only." </maml:para><maml:para>New-ADClaimsTransformationPolicy -Name "Deny All except Finance Policy" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Allow All Policy" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Rule</maml:name><maml:description><maml:para>Represents the claims transformation rule. To specify the rule, you can either (1) type the rule in a text file, and then pass the file to the cmdlet (recommended), or (2) type the rule inline. </maml:para><maml:para>For example, the following commands demonstrate how to create a new claims transformation policy object with the rule specified in a text file named Rule.txt located in a temporary folder C:\temp. </maml:para><maml:para>$rule = Get-Content C:\temp\rule.txt; </maml:para><maml:para>New-ADClaimTransformPolicy MyRule -Rule $rule </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A claims transformation policy object that is a template for the new claims transformation policy object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimTransformPolicy DenyAllPolicy -DenyAll </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new claims transformation policy named 'DenyAllPolicy' that denies all claims, both those that are sent as well as those that are received. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimTransformPolicy AllowAllExceptCompanyAndDepartmentPolicy -AllowAllExcept Company,Department </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new claims transformation policy named 'AllowAllExceptCompanyAndDepartmentPolicy' that allows all claims to be sent or received except for the claims 'Company' and 'Department'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimTransformPolicy HumanResourcesToHrPolicy -Rule 'C1:[Type=="ad://ext/Department:88ceb0fe88a125db", Value=="Human Resources", ValueType=="string"] => issue(Type=C1.Type, Value="HR", ValueType=C1.ValueType);' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new claims transformation policy named 'HumanResourcesToHrPolicy' that transforms the value 'Human Resources' to 'HR' in the claim 'Department'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$rule = Get-Content C:\rule.txt; New-ADClaimTransformPolicy MyRule -Rule $rule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new claims transformation policy named 'MyRule' with the rule specified in C:\rule.txt. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291062</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADClaimType</command:name><maml:description><maml:para>Creates a new claim type in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADClaimType</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADClaimType cmdlet creates a new claim type in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type, which must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>This parameter is used to specify the security principal classes to which this claim applies. Possible values for this parameter include the following (or any Active Directory type that derives from these base types): </maml:para><maml:para>- User </maml:para><maml:para>- Computer </maml:para><maml:para>- InetOrgPerson </maml:para><maml:para>- msDS-ManagedServiceAccount </maml:para><maml:para>- msDS-GroupManagedServiceAccount </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ID</maml:name><maml:description><maml:para>Specifies the claim type ID. This is an optional parameter. By default, New-ADClaimType generates the ID automatically. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same claim types need to work across forests. For claim types to be considered identical across forests, their ID must be the same. </maml:para><maml:para>To specify the ID, the ID string must conform to the following format: </maml:para><maml:para>1. It must have a maximum of 37 characters. </maml:para><maml:para>2. It must have at least one slash (/). </maml:para><maml:para>3. It must have at least one colon before the first slash. </maml:para><maml:para>4. It must not have the slash as the last character. </maml:para><maml:para>5. It must contain valid file characters only. </maml:para><maml:para>An example is "ad://ext/BusinessImpact". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an claim type object to use as a template for a new claim type object. </maml:para><maml:para>You can use an instance of an existing claim type object as a template or you can construct a new claim type object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claim type object. </maml:para><maml:para>Method 1: Use an existing claim type object as a template for a new object. To retrieve an instance of an existing claim type object, use a cmdlet such as Get-ADClaimType. Then provide this object to the Instance parameter of the New-ADClaimType cmdlet to create a new claim type object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimType -Identity "Employee Type" </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new claim type and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimType cmdlet to create the new claim type object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimType </maml:para><maml:para>$objectInstance.Description = "Employee Type can be full-time, intern or contractor." </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>IsSingleValued</maml:name><maml:description><maml:para>Specifies whether the claim type is single valued or multi-valued. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. </maml:para><maml:para>Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When the RestrictValues switch is set (to a value of True), the application should limit the user to selecting values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", </maml:para><maml:para>"Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student </maml:para><maml:para>employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", </maml:para><maml:para>"Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SourceAttribute</maml:name><maml:description><maml:para>Specifies an Active Directory attribute from which this claim type is based, and from which the claim value is obtained. The input must be the distinguished name (DN), Name, or GUID of the attribute definition in the schema. </maml:para><maml:para>Acceptable values include attributes of the following schema class objects: </maml:para><maml:para>User, InetOrgPerson, Computer, ManagedServiceAccount, GroupManagedServiceAccount, and Auxiliary class objects </maml:para><maml:para>Except: </maml:para><maml:para>- Attributes marked as defunct in the schema </maml:para><maml:para>- Blocked attributes such as dBCSPwd, lmPwdHistory, and unicodePwd </maml:para><maml:para>- Attributes that are not replicated </maml:para><maml:para>- Attributes that are not available on read-only domain controllers </maml:para><maml:para>- Attributes with syntaxes not based on the following </maml:para><maml:para>- String Object (DS-DN) </maml:para><maml:para>- String (Unicode) </maml:para><maml:para>- Boolean </maml:para><maml:para>- Integer </maml:para><maml:para>- Large Integer </maml:para><maml:para>- String (OID) </maml:para><maml:para>- String (SD) </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type, which must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>This parameter is used to specify the security principal classes to which this claim applies. Possible values for this parameter include the following (or any Active Directory type that derives from these base types): </maml:para><maml:para>- User </maml:para><maml:para>- Computer </maml:para><maml:para>- InetOrgPerson </maml:para><maml:para>- msDS-ManagedServiceAccount </maml:para><maml:para>- msDS-GroupManagedServiceAccount </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ID</maml:name><maml:description><maml:para>Specifies the claim type ID. This is an optional parameter. By default, New-ADClaimType generates the ID automatically. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same claim types need to work across forests. For claim types to be considered identical across forests, their ID must be the same. </maml:para><maml:para>To specify the ID, the ID string must conform to the following format: </maml:para><maml:para>1. It must have a maximum of 37 characters. </maml:para><maml:para>2. It must have at least one slash (/). </maml:para><maml:para>3. It must have at least one colon before the first slash. </maml:para><maml:para>4. It must not have the slash as the last character. </maml:para><maml:para>5. It must contain valid file characters only. </maml:para><maml:para>An example is "ad://ext/BusinessImpact". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an claim type object to use as a template for a new claim type object. </maml:para><maml:para>You can use an instance of an existing claim type object as a template or you can construct a new claim type object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claim type object. </maml:para><maml:para>Method 1: Use an existing claim type object as a template for a new object. To retrieve an instance of an existing claim type object, use a cmdlet such as Get-ADClaimType. Then provide this object to the Instance parameter of the New-ADClaimType cmdlet to create a new claim type object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimType -Identity "Employee Type" </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new claim type and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimType cmdlet to create the new claim type object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimType </maml:para><maml:para>$objectInstance.Description = "Employee Type can be full-time, intern or contractor." </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>IsSingleValued</maml:name><maml:description><maml:para>Specifies whether the claim type is single valued or multi-valued. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. </maml:para><maml:para>Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SourceOID</maml:name><maml:description><maml:para>Can be used to configure a certificate-based claim type source. For example, use this parameter to create certificate-based claim types when you want to use smartcard logon claims for authorization decisions. The SourceOID parameter uses the string representation of an object identifier (OID) from the issuance policy found in the certificate and on the certificate template when using Active Directory Certificate Services. An example of an OID is "1.3.6.1.4.1.311.47.2.5". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type, which must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>This parameter is used to specify the security principal classes to which this claim applies. Possible values for this parameter include the following (or any Active Directory type that derives from these base types): </maml:para><maml:para>- User </maml:para><maml:para>- Computer </maml:para><maml:para>- InetOrgPerson </maml:para><maml:para>- msDS-ManagedServiceAccount </maml:para><maml:para>- msDS-GroupManagedServiceAccount </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ID</maml:name><maml:description><maml:para>Specifies the claim type ID. This is an optional parameter. By default, New-ADClaimType generates the ID automatically. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same claim types need to work across forests. For claim types to be considered identical across forests, their ID must be the same. </maml:para><maml:para>To specify the ID, the ID string must conform to the following format: </maml:para><maml:para>1. It must have a maximum of 37 characters. </maml:para><maml:para>2. It must have at least one slash (/). </maml:para><maml:para>3. It must have at least one colon before the first slash. </maml:para><maml:para>4. It must not have the slash as the last character. </maml:para><maml:para>5. It must contain valid file characters only. </maml:para><maml:para>An example is "ad://ext/BusinessImpact". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an claim type object to use as a template for a new claim type object. </maml:para><maml:para>You can use an instance of an existing claim type object as a template or you can construct a new claim type object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claim type object. </maml:para><maml:para>Method 1: Use an existing claim type object as a template for a new object. To retrieve an instance of an existing claim type object, use a cmdlet such as Get-ADClaimType. Then provide this object to the Instance parameter of the New-ADClaimType cmdlet to create a new claim type object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimType -Identity "Employee Type" </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new claim type and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimType cmdlet to create the new claim type object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimType </maml:para><maml:para>$objectInstance.Description = "Employee Type can be full-time, intern or contractor." </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>IsSingleValued</maml:name><maml:description><maml:para>Specifies whether the claim type is single valued or multi-valued. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. </maml:para><maml:para>Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When the RestrictValues switch is set (to a value of True), the application should limit the user to selecting values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", </maml:para><maml:para>"Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student </maml:para><maml:para>employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", </maml:para><maml:para>"Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SourceTransformPolicy</maml:name><maml:description><maml:para>Indicates that the claim type is sourced from the claims transformation policy engine.</maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ValueType</maml:name><maml:description><maml:para>Specifies the value type for this claim type. Below is a list of the valid value types: - Int64 - UInt64 - String - FQBN - SID - Boolean - OctetString </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Invalid</command:parameterValue><command:parameterValue required="true" variableLength="false">Int64</command:parameterValue><command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue><command:parameterValue required="true" variableLength="false">String</command:parameterValue><command:parameterValue required="true" variableLength="false">FQBN</command:parameterValue><command:parameterValue required="true" variableLength="false">SID</command:parameterValue><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><command:parameterValue required="true" variableLength="false">OctetString</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>This parameter is used to specify the security principal classes to which this claim applies. Possible values for this parameter include the following (or any Active Directory type that derives from these base types): </maml:para><maml:para>- User </maml:para><maml:para>- Computer </maml:para><maml:para>- InetOrgPerson </maml:para><maml:para>- msDS-ManagedServiceAccount </maml:para><maml:para>- msDS-GroupManagedServiceAccount </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue>Depending on SourceAttribute / SourceOID, the value is set to User / Computer respectively</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type, which must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>True</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ID</maml:name><maml:description><maml:para>Specifies the claim type ID. This is an optional parameter. By default, New-ADClaimType generates the ID automatically. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same claim types need to work across forests. For claim types to be considered identical across forests, their ID must be the same. </maml:para><maml:para>To specify the ID, the ID string must conform to the following format: </maml:para><maml:para>1. It must have a maximum of 37 characters. </maml:para><maml:para>2. It must have at least one slash (/). </maml:para><maml:para>3. It must have at least one colon before the first slash. </maml:para><maml:para>4. It must not have the slash as the last character. </maml:para><maml:para>5. It must contain valid file characters only. </maml:para><maml:para>An example is "ad://ext/BusinessImpact". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue>Auto-generated</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an claim type object to use as a template for a new claim type object. </maml:para><maml:para>You can use an instance of an existing claim type object as a template or you can construct a new claim type object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claim type object. </maml:para><maml:para>Method 1: Use an existing claim type object as a template for a new object. To retrieve an instance of an existing claim type object, use a cmdlet such as Get-ADClaimType. Then provide this object to the Instance parameter of the New-ADClaimType cmdlet to create a new claim type object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimType -Identity "Employee Type" </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new claim type and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimType cmdlet to create the new claim type object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimType </maml:para><maml:para>$objectInstance.Description = "Employee Type can be full-time, intern or contractor." </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>IsSingleValued</maml:name><maml:description><maml:para>Specifies whether the claim type is single valued or multi-valued. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>True</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. </maml:para><maml:para>Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>True</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SourceAttribute</maml:name><maml:description><maml:para>Specifies an Active Directory attribute from which this claim type is based, and from which the claim value is obtained. The input must be the distinguished name (DN), Name, or GUID of the attribute definition in the schema. </maml:para><maml:para>Acceptable values include attributes of the following schema class objects: </maml:para><maml:para>User, InetOrgPerson, Computer, ManagedServiceAccount, GroupManagedServiceAccount, and Auxiliary class objects </maml:para><maml:para>Except: </maml:para><maml:para>- Attributes marked as defunct in the schema </maml:para><maml:para>- Blocked attributes such as dBCSPwd, lmPwdHistory, and unicodePwd </maml:para><maml:para>- Attributes that are not replicated </maml:para><maml:para>- Attributes that are not available on read-only domain controllers </maml:para><maml:para>- Attributes with syntaxes not based on the following </maml:para><maml:para>- String Object (DS-DN) </maml:para><maml:para>- String (Unicode) </maml:para><maml:para>- Boolean </maml:para><maml:para>- Integer </maml:para><maml:para>- Large Integer </maml:para><maml:para>- String (OID) </maml:para><maml:para>- String (SD) </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SourceOID</maml:name><maml:description><maml:para>Can be used to configure a certificate-based claim type source. For example, use this parameter to create certificate-based claim types when you want to use smartcard logon claims for authorization decisions. The SourceOID parameter uses the string representation of an object identifier (OID) from the issuance policy found in the certificate and on the certificate template when using Active Directory Certificate Services. An example of an OID is "1.3.6.1.4.1.311.47.2.5". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SourceTransformPolicy</maml:name><maml:description><maml:para>Indicates that the claim type is sourced from the claims transformation policy engine.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When the RestrictValues switch is set (to a value of True), the application should limit the user to selecting values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", </maml:para><maml:para>"Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student </maml:para><maml:para>employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", </maml:para><maml:para>"Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue><dev:type><maml:name>ADSuggestedValueEntry[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ValueType</maml:name><maml:description><maml:para>Specifies the value type for this claim type. Below is a list of the valid value types: - Int64 - UInt64 - String - FQBN - SID - Boolean - OctetString </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimValueType</command:parameterValue><dev:type><maml:name>ADClaimValueType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimType Title -SourceAttribute title </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new user claim type with display name 'Title' that is sourced from the AD attribute 'title'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", "Full-time employee"); $intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student employee"); $contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", "Contract employee"); New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new user claim type with display name 'Employee Type' that is sourced from the AD attribute 'employeeType'. The suggested values are set to 'FTE', 'Intern', and 'Contractor'. Applications using this claim type would allow their users to specify one of the suggested values as this claim type's value. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimType "Bitlocker Enabled" -SourceOID "1.3.6.1.4.1.311.67.1.1" -Enabled $FALSE </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new device claim type with display name 'Bitlocker Enabled' with the source OID '1.3.6.1.4.1.311.67.1.1'. The claim type set to disabled. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADClaimType Title -SourceAttribute title -ID "ad://ext/title" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new user claim type with display name 'Title' that is sourced from the AD attribute 'title' and ID set to 'ad://ext/title'. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same claim type needs to work across forests. By default, New-ADClaimType generates the ID automatically. For claim types to be considered identical across forests, their ID must be the same. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADClaimType SourceForest -SourceTransformPolicy -ValueType String </dev:code><dev:remarks><maml:para>Create a new claim type with display name 'SourceForest' that is sourced from the claims transformation policy engine.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291063</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADComputer</command:name><maml:description><maml:para>Creates a new Active Directory computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADComputer</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADComputer cmdlet creates a new Active Directory computer object. This cmdlet does not join a computer to a domain. You can set commonly used computer property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the OtherAttributes parameter. </maml:para><maml:para>You can use this cmdlet to provision a computer account before the computer is added to the domain. These pre-created computer objects can be used with offline domain join, unsecure domain Join and RODC domain join scenarios. </maml:para><maml:para>The Path parameter specifies the container or organizational unit (OU) for the new computer. When you do not specify the Path parameter, the cmdlet creates a computer account in the default container for computer objects in the domain. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADComputer cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new computer object or retrieve a copy of an existing computer object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the Add-ADComputer cmdlet to create multiple Active Directory computer objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADComputer cmdlet to create the computer objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADComputer</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>Specifies a new password value for an account. This value is stored as an encrypted string. </maml:para><maml:para>The following conditions apply based on the manner in which the password parameter is used: </maml:para><maml:para>$null password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>No password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>User password is specified - Password is set and the account is enabled unless it is requested to be disabled, unless the password you provided does not meet password policy or was not set for other reasons, at which point the account is disabled </maml:para><maml:para>Notes: Computer accounts, by default, are created with a 240-character random password. If you provide a password, an attempt will be made to set that password however, this can fail due to password policy restrictions. The computer account will still be created and you can use Set-ADAccountPassword to set the password on that account. In order to ensure that accounts remain secure, computer accounts will never be enabled unless a valid password is set (either a randomly-generated or user-provided one) or PasswordNotRequired is set to true. </maml:para><maml:para>The account is created if the password fails for any reason. </maml:para><maml:para>The new ADComputer object will always either be disabled or have a user-requested or randomly-generated password. There is no way to create an enabled computer account object with a password that violates domain password policy, such as an empty password. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you to enter the password. </maml:para><maml:para>-AccountPassword (Read-Host -AsSecureString "AccountPassword") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">X509Certificate[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the computer. This parameter sets the DNSHostName property for a computer object. The LDAP Display Name for this property is "dNSHostName". </maml:para><maml:para>The following example shows how to set this parameter to a FQDN. </maml:para><maml:para>-DNSHostName "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a computer object to use as a template for a new computer object. </maml:para><maml:para>You can use an instance of an existing computer object as a template or you can construct a new computer object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create computer object templates. </maml:para><maml:para>Method 1: Use an existing computer object as a template for a new object. To retrieve an instance of an existing computer object use Get-ADcomputer. Then provide this object to the Instance parameter of the New-ADcomputer cmdlet to create a new computer object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$computerInstance = Get-ADcomputer -Identity ellenAdamsDesktop </maml:para><maml:para>New-ADcomputer -Name "saraDavisDesktop" -Instance $computerInstance -AccountPassword "MustChange242" </maml:para><maml:para>-samAccountName "saraDavisDesktop" </maml:para><maml:para>Method 2: Create a new ADcomputer object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADcomputer cmdlet to create the new Active Directory computer object. </maml:para><maml:para>$computerInstance = new-object Microsoft.ActiveDirectory.Management.ADcomputer </maml:para><maml:para>New-ADcomputer -Name "saraDavisDesktop" -Instance $computerInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account which may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>Specifies the location of the computer, such as an office number. This parameter sets the Location property of a computer. The LDAP display name (ldapDisplayName) of this property is "location". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Location "Test Lab A" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystem</maml:name><maml:description><maml:para>Specifies an operating system name. This parameter sets the OperatingSystem property of the computer object. The LDAP Display Name (ldapDisplayName) for this property is "operatingSystem". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OperatingSystem "Windows Server 2008 Enterprise" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystemHotfix</maml:name><maml:description><maml:para>Specifies an operating system hotfix name. This parameter sets the operatingSystemHotfix property of the computer object. The LDAP display name for this property is "operatingSystemHotfix". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-operatingSystemHotfix "523466" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystemServicePack</maml:name><maml:description><maml:para>Specifies the name of an operating system service pack. This parameter sets the OperatingSystemServicePack property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemServicePack". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemServicePack "Service Pack 2" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystemVersion</maml:name><maml:description><maml:para>Specifies an operating system version. This parameter sets the OperatingSystemVersion property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemVersion". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemVersion "6.0 (6001)" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this computer account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SAMAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 15 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>Specifies a new password value for an account. This value is stored as an encrypted string. </maml:para><maml:para>The following conditions apply based on the manner in which the password parameter is used: </maml:para><maml:para>$null password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>No password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>User password is specified - Password is set and the account is enabled unless it is requested to be disabled, unless the password you provided does not meet password policy or was not set for other reasons, at which point the account is disabled </maml:para><maml:para>Notes: Computer accounts, by default, are created with a 240-character random password. If you provide a password, an attempt will be made to set that password however, this can fail due to password policy restrictions. The computer account will still be created and you can use Set-ADAccountPassword to set the password on that account. In order to ensure that accounts remain secure, computer accounts will never be enabled unless a valid password is set (either a randomly-generated or user-provided one) or PasswordNotRequired is set to true. </maml:para><maml:para>The account is created if the password fails for any reason. </maml:para><maml:para>The new ADComputer object will always either be disabled or have a user-requested or randomly-generated password. There is no way to create an enabled computer account object with a password that violates domain password policy, such as an empty password. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you to enter the password. </maml:para><maml:para>-AccountPassword (Read-Host -AsSecureString "AccountPassword") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue><dev:type><maml:name>SecureString</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">X509Certificate[]</command:parameterValue><dev:type><maml:name>X509Certificate[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the computer. This parameter sets the DNSHostName property for a computer object. The LDAP Display Name for this property is "dNSHostName". </maml:para><maml:para>The following example shows how to set this parameter to a FQDN. </maml:para><maml:para>-DNSHostName "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a computer object to use as a template for a new computer object. </maml:para><maml:para>You can use an instance of an existing computer object as a template or you can construct a new computer object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create computer object templates. </maml:para><maml:para>Method 1: Use an existing computer object as a template for a new object. To retrieve an instance of an existing computer object use Get-ADcomputer. Then provide this object to the Instance parameter of the New-ADcomputer cmdlet to create a new computer object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$computerInstance = Get-ADcomputer -Identity ellenAdamsDesktop </maml:para><maml:para>New-ADcomputer -Name "saraDavisDesktop" -Instance $computerInstance -AccountPassword "MustChange242" </maml:para><maml:para>-samAccountName "saraDavisDesktop" </maml:para><maml:para>Method 2: Create a new ADcomputer object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADcomputer cmdlet to create the new Active Directory computer object. </maml:para><maml:para>$computerInstance = new-object Microsoft.ActiveDirectory.Management.ADcomputer </maml:para><maml:para>New-ADcomputer -Name "saraDavisDesktop" -Instance $computerInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account which may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADKerberosEncryptionType</command:parameterValue><dev:type><maml:name>ADKerberosEncryptionType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>Specifies the location of the computer, such as an office number. This parameter sets the Location property of a computer. The LDAP display name (ldapDisplayName) of this property is "location". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Location "Test Lab A" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystem</maml:name><maml:description><maml:para>Specifies an operating system name. This parameter sets the OperatingSystem property of the computer object. The LDAP Display Name (ldapDisplayName) for this property is "operatingSystem". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OperatingSystem "Windows Server 2008 Enterprise" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystemHotfix</maml:name><maml:description><maml:para>Specifies an operating system hotfix name. This parameter sets the operatingSystemHotfix property of the computer object. The LDAP display name for this property is "operatingSystemHotfix". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-operatingSystemHotfix "523466" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystemServicePack</maml:name><maml:description><maml:para>Specifies the name of an operating system service pack. This parameter sets the OperatingSystemServicePack property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemServicePack". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemServicePack "Service Pack 2" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OperatingSystemVersion</maml:name><maml:description><maml:para>Specifies an operating system version. This parameter sets the OperatingSystemVersion property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemVersion". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemVersion "6.0 (6001)" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this computer account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SAMAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 15 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object that is a template for the new computer object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new computer object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADComputer -Name "FABRIKAM-SRV2" -SamAccountName "FABRIKAM-SRV2" -Path "OU=ApplicationServers,OU=ComputerAccounts,OU=Managed,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new computer account in the OU: "OU=ApplicationServers,OU=ComputerAccounts,OU=Managed,DC=FABRIKAM,DC=COM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADComputer -Name "FABRIKAM-SRV3" -SamAccountName "FABRIKAM-SRV3" -Path "OU=ApplicationServers,OU=ComputerAccounts,OU=Managed,DC=FABRIKAM,DC=COM" -Enabled $true -Location "Redmond,WA" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new computer account under a particular OU, which is enabled and located in "Redmond,WA". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$templateComp = get-adcomputer "LabServer-00" -properties "Location","OperatingSystem","OperatingSystemHotfix","OperatingSystemServicePack","OperatingSystemVersion"; New-ADComputer -Instance $templateComp -Name "LabServer-01" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new computer account from a template object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291064</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADComputer</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADDCCloneConfigFile</command:name><maml:description><maml:para>Performs prerequisite checks for cloning a domain controller and generates a clone configuration file if all checks succeed.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADDCCloneConfigFile</command:noun><dev:version /></command:details><maml:description><maml:para>The New-DCCloneConfigFile cmdlet performs prerequisite checks for cloning a domain controller (DC) when run locally on the DC being prepared for cloning. This cmdlet generates a clone configuration file, DCCloneConfig.xml, at an appropriate location, if all prerequisite checks succeed.</maml:para><maml:para>There are two mode of operation for this cmdlet, depending on where it is executed. When run on the domain controller that is being prepared for cloning, it will run the following pre-requisite checks to make sure this DC is adequately prepared for cloning:</maml:para><maml:para>(1) Is the PDC emulator FSMO role hosted on a DC running Windows Server 2012? (2) Is this computer authorized for DC cloning (i.e. is the computer a member of the Cloneable Domain Controllers group)? (3) Are all program and services listed in the output of the Get-ADDCCloningExcludedApplicationList cmdlet captured in CustomDCCloneAllowList.xml?</maml:para><maml:para>If these pre-requisite checks all pass, the New-DCCloneConfigFile cmdlet will generate a DCCloneConfig.xml file at a suitable location based on the parameter values supplied. This cmdlet can also be run from a client (with RSAT) and used to generate a DCCloneConfig.xml against offline media of the DC being cloned, however, none of the pre-requisite checks will be performed in this usage mode. This usage is intended to generate DCCloneConfig.xml files with specific configuration values for each clone on copies of the offline media.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADDCCloneConfigFile</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="cn"><maml:name>CloneComputerName</maml:name><maml:description><maml:para>Specifies the computer name for the cloned DC. If this parameter is not specified as a unique name within the enterprise of 15 characters or less, the following formula is used to programmatically generate a name:</maml:para><maml:para>(1) The first 8 characters of the source DC computer name. For example, a source computer name of "SourceComputer" is truncated to a prefix string of "SourceCo". (2) A unique naming suffix of the format "–CLnnnn" is appended to the prefix string where nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. For example, if 0047 is the next available number within the allowed range, using the above source computer prefix of "SourceCo" the derived name to use for the clone computer will be SourceCo-CL0047.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the DNS server to be used by the cloned DC to resolve names. A maximum of 4 string values can be provided.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the folder path to use when writing the clone configuration file. If the cmdlet is run and all prerequisite checks succeed, a DCCloneConfig.xml file will be written and appear in this location as output. The Path parameter is optional when running the cmdlet on the DC being prepared for cloning. In this case, the default location of the DIT folder will be used and this parameter does not need to be specified. When running the New-DCCLoneConfigFile cmdlet in offline mode (i.e. when the Offline parameter is specified), however, the Path parameter is required.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of the Active Directory site in which to place the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADDCCloneConfigFile</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AlternateWINSServer</maml:name><maml:description><maml:para>Specifies the name of the alternate Windows Internet Naming Service (WINS) server for the cloned DC to use if the preferred WINS Server is not available.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="cn"><maml:name>CloneComputerName</maml:name><maml:description><maml:para>Specifies the computer name for the cloned DC. If this parameter is not specified as a unique name within the enterprise of 15 characters or less, the following formula is used to programmatically generate a name:</maml:para><maml:para>(1) The first 8 characters of the source DC computer name. For example, a source computer name of "SourceComputer" is truncated to a prefix string of "SourceCo". (2) A unique naming suffix of the format "–CLnnnn" is appended to the prefix string where nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. For example, if 0047 is the next available number within the allowed range, using the above source computer prefix of "SourceCo" the derived name to use for the clone computer will be SourceCo-CL0047.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DefaultGateway</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the default gateway to be used by the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the folder path to use when writing the clone configuration file. If the cmdlet is run and all prerequisite checks succeed, a DCCloneConfig.xml file will be written and appear in this location as output. The Path parameter is optional when running the cmdlet on the DC being prepared for cloning. In this case, the default location of the DIT folder will be used and this parameter does not need to be specified. When running the New-DCCLoneConfigFile cmdlet in offline mode (i.e. when the Offline parameter is specified), however, the Path parameter is required.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PreferredWINSServer</maml:name><maml:description><maml:para>Specifies the name of the primary Windows Internet Naming Service (WINS) server to use as the preferred WINS Server for the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of the Active Directory site in which to place the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4Address</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address to be assigned to the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the DNS server to be used by the cloned DC to resolve names. A maximum of 4 string values can be provided.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4SubnetMask</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) subnet mask to use for the subnet where the cloned DC is to be located.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Static</maml:name><maml:description><maml:para>Indicates whether the TCP/IP configuration specified for the cloned DC is static or dynamic IP configuration.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADDCCloneConfigFile</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AlternateWINSServer</maml:name><maml:description><maml:para>Specifies the name of the alternate Windows Internet Naming Service (WINS) server for the cloned DC to use if the preferred WINS Server is not available.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="cn"><maml:name>CloneComputerName</maml:name><maml:description><maml:para>Specifies the computer name for the cloned DC. If this parameter is not specified as a unique name within the enterprise of 15 characters or less, the following formula is used to programmatically generate a name:</maml:para><maml:para>(1) The first 8 characters of the source DC computer name. For example, a source computer name of "SourceComputer" is truncated to a prefix string of "SourceCo". (2) A unique naming suffix of the format "–CLnnnn" is appended to the prefix string where nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. For example, if 0047 is the next available number within the allowed range, using the above source computer prefix of "SourceCo" the derived name to use for the clone computer will be SourceCo-CL0047.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4Address</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address to be assigned to the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DefaultGateway</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the default gateway to be used by the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the DNS server to be used by the cloned DC to resolve names. A maximum of 4 string values can be provided.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4SubnetMask</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) subnet mask to use for the subnet where the cloned DC is to be located.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv6DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 6 (IPv6) address for the DNS server to be used by the cloned DC to resolve names.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PreferredWINSServer</maml:name><maml:description><maml:para>Specifies the name of the primary Windows Internet Naming Service (WINS) server to use as the preferred WINS Server for the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of the Active Directory site in which to place the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Static</maml:name><maml:description><maml:para>Indicates whether the TCP/IP configuration specified for the cloned DC is static or dynamic IP configuration.</maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Offline</maml:name><maml:description><maml:para>Indicates whether the cmdlet is being run against an offline media or on the DC being prepared for cloning. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the folder path to use when writing the clone configuration file. If the cmdlet is run and all prerequisite checks succeed, a DCCloneConfig.xml file will be written and appear in this location as output. The Path parameter is optional when running the cmdlet on the DC being prepared for cloning. In this case, the default location of the DIT folder will be used and this parameter does not need to be specified. When running the New-DCCLoneConfigFile cmdlet in offline mode (i.e. when the Offline parameter is specified), however, the Path parameter is required.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADDCCloneConfigFile</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="cn"><maml:name>CloneComputerName</maml:name><maml:description><maml:para>Specifies the computer name for the cloned DC. If this parameter is not specified as a unique name within the enterprise of 15 characters or less, the following formula is used to programmatically generate a name:</maml:para><maml:para>(1) The first 8 characters of the source DC computer name. For example, a source computer name of "SourceComputer" is truncated to a prefix string of "SourceCo". (2) A unique naming suffix of the format "–CLnnnn" is appended to the prefix string where nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. For example, if 0047 is the next available number within the allowed range, using the above source computer prefix of "SourceCo" the derived name to use for the clone computer will be SourceCo-CL0047.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the folder path to use when writing the clone configuration file. If the cmdlet is run and all prerequisite checks succeed, a DCCloneConfig.xml file will be written and appear in this location as output. The Path parameter is optional when running the cmdlet on the DC being prepared for cloning. In this case, the default location of the DIT folder will be used and this parameter does not need to be specified. When running the New-DCCLoneConfigFile cmdlet in offline mode (i.e. when the Offline parameter is specified), however, the Path parameter is required.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of the Active Directory site in which to place the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv6DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 6 (IPv6) address for the DNS server to be used by the cloned DC to resolve names.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Static</maml:name><maml:description><maml:para>Indicates whether the TCP/IP configuration specified for the cloned DC is static or dynamic IP configuration.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADDCCloneConfigFile</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="cn"><maml:name>CloneComputerName</maml:name><maml:description><maml:para>Specifies the computer name for the cloned DC. If this parameter is not specified as a unique name within the enterprise of 15 characters or less, the following formula is used to programmatically generate a name:</maml:para><maml:para>(1) The first 8 characters of the source DC computer name. For example, a source computer name of "SourceComputer" is truncated to a prefix string of "SourceCo". (2) A unique naming suffix of the format "–CLnnnn" is appended to the prefix string where nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. For example, if 0047 is the next available number within the allowed range, using the above source computer prefix of "SourceCo" the derived name to use for the clone computer will be SourceCo-CL0047.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv6DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 6 (IPv6) address for the DNS server to be used by the cloned DC to resolve names.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the folder path to use when writing the clone configuration file. If the cmdlet is run and all prerequisite checks succeed, a DCCloneConfig.xml file will be written and appear in this location as output. The Path parameter is optional when running the cmdlet on the DC being prepared for cloning. In this case, the default location of the DIT folder will be used and this parameter does not need to be specified. When running the New-DCCLoneConfigFile cmdlet in offline mode (i.e. when the Offline parameter is specified), however, the Path parameter is required.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of the Active Directory site in which to place the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AlternateWINSServer</maml:name><maml:description><maml:para>Specifies the name of the alternate Windows Internet Naming Service (WINS) server for the cloned DC to use if the preferred WINS Server is not available.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="cn"><maml:name>CloneComputerName</maml:name><maml:description><maml:para>Specifies the computer name for the cloned DC. If this parameter is not specified as a unique name within the enterprise of 15 characters or less, the following formula is used to programmatically generate a name:</maml:para><maml:para>(1) The first 8 characters of the source DC computer name. For example, a source computer name of "SourceComputer" is truncated to a prefix string of "SourceCo". (2) A unique naming suffix of the format "–CLnnnn" is appended to the prefix string where nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. For example, if 0047 is the next available number within the allowed range, using the above source computer prefix of "SourceCo" the derived name to use for the clone computer will be SourceCo-CL0047.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4Address</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address to be assigned to the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DefaultGateway</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the default gateway to be used by the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) address for the DNS server to be used by the cloned DC to resolve names. A maximum of 4 string values can be provided.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv4SubnetMask</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 4 (IPv4) subnet mask to use for the subnet where the cloned DC is to be located.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IPv6DNSResolver</maml:name><maml:description><maml:para>Specifies the Internet Protocol version 6 (IPv6) address for the DNS server to be used by the cloned DC to resolve names.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Offline</maml:name><maml:description><maml:para>Indicates whether the cmdlet is being run against an offline media or on the DC being prepared for cloning. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the folder path to use when writing the clone configuration file. If the cmdlet is run and all prerequisite checks succeed, a DCCloneConfig.xml file will be written and appear in this location as output. The Path parameter is optional when running the cmdlet on the DC being prepared for cloning. In this case, the default location of the DIT folder will be used and this parameter does not need to be specified. When running the New-DCCLoneConfigFile cmdlet in offline mode (i.e. when the Offline parameter is specified), however, the Path parameter is required.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PreferredWINSServer</maml:name><maml:description><maml:para>Specifies the name of the primary Windows Internet Naming Service (WINS) server to use as the preferred WINS Server for the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteName</maml:name><maml:description><maml:para>Specifies the name of the Active Directory site in which to place the cloned DC.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Static</maml:name><maml:description><maml:para>Indicates whether the TCP/IP configuration specified for the cloned DC is static or dynamic IP configuration.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para></maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para></maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile –Static -IPv4Address "10.0.0.2" -IPv4DNSResolver "10.0.0.1" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "VirtualDC2" -IPv4DefaultGateway "10.0.0.3" -PreferredWINSServer "10.0.0.1" -SiteName "REDMOND" </dev:code><dev:remarks><maml:para>Creates a clone domain controller named VirtualDC2 with a static IPv4 address.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile -Static -CloneComputerName "Clone1" -IPv6DNSResolver "FEC0:0:0:FFFF::1" </dev:code><dev:remarks><maml:para>Creates a clone domain controller named Clone1 with a static IPv6 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile -AlternateWINSServer "10.0.0.3" -CloneComputerName "Clone2"-IPv4DNSResolver "10.0.0.1" -PreferredWINSServer "10.0.0.1" </dev:code><dev:remarks><maml:para>Creates a clone domain controller named Clone2 with dynamic IPv4 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile -IPv6DNSResolver "FEC0:0:0:FFFF::1" -SiteName "REDMOND" </dev:code><dev:remarks><maml:para>Creates a clone domain controller with dynamic IPv6 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile –Static -IPv4Address "10.0.0.2" -IPv4DNSResolver "10.0.0.1" -IPv4SubnetMask "255.255.255.0" -Static -IPv6DNSResolver "FEC0:0:0:FFFF::1" -CloneComputerName "Clone2" -PreferredWINSServer "10.0.0.1" </dev:code><dev:remarks><maml:para>Creates a clone domain controller named Clone2 with static IPv4 and static IPv6 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile -IPv4Address "10.0.0.2" -IPv4DNSResolver "10.0.0.1" -IPv4SubnetMask "255.255.255.0" -IPv4DefaultGateway "10.0.0.3" -IPv6DNSResolver "FEC0:0:0:FFFF::1" </dev:code><dev:remarks><maml:para>Creates a clone domain controller named Clone2 with static IPv4 and dynamic IPv6 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 7 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile –Static -IPv6DNSResolver "FEC0:0:0:FFFF::1" -CloneComputerName "Clone1" -PreferredWINSServer "10.0.0.1" -SiteName "REDMOND" </dev:code><dev:remarks><maml:para>Creates a clone domain controller named Clone1 with dynamic IPv4 and static IPv6 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 8 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADDCCloneConfigFile -IPv4DNSResolver "10.0.0.1" -IPv6DNSResolver "FEC0:0:0:FFFF::1" </dev:code><dev:remarks><maml:para>Creates a clone domain controller with dynamic IPv4 and dynamic IPv6 settings.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 9 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-DCCloneConfig –Offline –CloneComputerName CloneDC1 –SiteName REDMOND –Path F:\Windows\NTDS -Force </dev:code><dev:remarks><maml:para>Creates a clone domain controller named CloneDC1 in offline mode, in a site called "REDMOND" with a dynamic IPv4 address. This command also uses the -Force parameter to force overwrite of any previous DCCloneConfig.xml file created at the specified path (F:\Windows\NTDS).</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291065</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDCCloningExcludedApplicationList</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADFineGrainedPasswordPolicy</command:name><maml:description><maml:para>Creates a new Active Directory fine grained password policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADFineGrainedPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADFineGrainedPasswordPolicy cmdlet creates a new Active Directory fine grained password policy. You can set commonly used fine grained password policy property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. </maml:para><maml:para>You must set the Name and Precedence parameters to create a new fine grained password policy. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADFineGrainedPasswordPolicy cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new fine grained password policy object or retrieve a copy of an existing fine grained password policy object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the New-ADFineGrainedPasswordPolicy cmdlet to create multiple Active Directory fine grained password policy objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADFineGrainedPasswordPolicy cmdlet to create the fine grained password policy objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Precedence</maml:name><maml:description><maml:para>Specifies a value that defines the precedence of a fine-grained password policy among all fine-grained password policies. This parameter sets the Precedence property for a fine-grained password policy. The LDAP display name (ldapDisplayName) for this property is "msDS-PasswordSettingsPrecedence". </maml:para><maml:para>This value determines which password policy to use when more than one password policy applies to a user or group. When there is a conflict, the password policy that has the lower Precedence property value has higher priority. For example, if PasswordPolicy1 has a Precedence property value of 200 and PasswordPolicy2 has a Precedence property value of 100, PasswordPolicy2 is used. </maml:para><maml:para>Typically, password policy precedence values are assigned in multiples of 10 or 100, making it easier to add policies at a later time. For example, if you set the initial precedence values for your policies to 100 and 200, you can add another policy that has precedence value of 150. </maml:para><maml:para>If the specified Precedence parameter is already assigned to another password policy object, the cmdlet returns a terminating error. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Precedence 100 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComplexityEnabled</maml:name><maml:description><maml:para>Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain three of the following five character types: </maml:para><maml:para>Uppercase characters (A, B, C, D, E, ...) </maml:para><maml:para>Lowercase characters (a, b, c, d, e, ...) </maml:para><maml:para>Numerals (0, 1, 2, 3, ...) </maml:para><maml:para>Alpha numeric (ABC123, BCF678, YUH321, kju657, ...) </maml:para><maml:para>Special characters (#, $, *, %, ...) </maml:para><maml:para>This parameter sets the ComplexityEnabled property of a password policy. </maml:para><maml:para>Possible values for this parameter include: </maml:para><maml:para>$false or 0 - Disables password complexity </maml:para><maml:para>$true or 1 - Enables password complexity </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ComplexityEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a fine-grained password policy object to use as a template for a new fine-grained password policy object. </maml:para><maml:para>You can use an instance of an existing fine-grained password policy object as a template or you can construct a new fine-grained password policy object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new fine-grained password policy object. </maml:para><maml:para>Method 1: Use an existing fine-grained password policy object as a template for a new object. To retrieve an instance of an existing fine-grained password policy object, use a cmdlet such as Get-ADFineGrainedPasswordPolicy. Then provide this object to the Instance parameter of the New-ADFineGrainedPasswordPolicy cmdlet to create a new fine-grained password policy object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicy90 </maml:para><maml:para>New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $fineGrainedPasswordPolicyInstance -Precedence 600 -MaxPasswordAge "180" </maml:para><maml:para>Method 2: Create a new ADFineGrainedPasswordPolicy object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADFineGrainedPasswordPolicy cmdlet to create the new Active Directory fine-grained password policy object. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance = new-object Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>$fineGrainedPasswordPolicyInstance.MaxPasswordAge = "180" </maml:para><maml:para>New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $fineGrainedPasswordPolicyInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LockoutDuration</maml:name><maml:description><maml:para>Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. You cannot login to an account that is locked until the lockout duration time period has expired. This parameter sets the lockoutDuration property of a password policy object. The LDAP display name (ldapDisplayName) of this property is "msDS-LockoutDuration". </maml:para><maml:para>The lockout duration must be greater than or equal to the lockout observation time for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. </maml:para><maml:para>Specify the lockout duration time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutDuration "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutDuration "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutDuration "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>LockoutDuration "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LockoutObservationWindow</maml:name><maml:description><maml:para>Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. An account is locked when the number of unsuccessful login attempts exceeds the password policy lockout threshold. This parameter sets the lockoutObservationWindow property of a password policy object. The LDAP Display Name (ldapDisplayName) of this property is "msDS-lockoutObservationWindow". </maml:para><maml:para>The lockout observation window must be smaller than or equal to the lockout duration for a password policy. Use the LockoutDuration parameter to set the lockout duration time. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D:H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutObservationWindow "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutObservationWindow "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutObservationWindow "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-LockoutObservationWindow "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LockoutThreshold</maml:name><maml:description><maml:para>Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. This number increases when the time between unsuccessful login attempts is less than the time specified for the lockout observation time window. This parameter sets the LockoutThreshold property of a password policy. </maml:para><maml:para>The following example shows how to set the lockout threshold to 3 login attempts. </maml:para><maml:para>-LockoutThreshold 3 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MaxPasswordAge</maml:name><maml:description><maml:para>Specifies the maximum length of time that you can have the same password. After this time period, the password expires and you must create a new one. </maml:para><maml:para>This parameter sets the maxPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "maxPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>MaxPasswordAge "2" </maml:para><maml:para>Set the time span to the previous 2 days </maml:para><maml:para>MaxPasswordAge "-2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>MaxPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>MaxPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>MaxPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MinPasswordAge</maml:name><maml:description><maml:para>Specifies the minimum length of time before you can change a password. </maml:para><maml:para>This parameter sets the minPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "minPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>-MinPasswordAge "2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>-MinPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>-MinPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>-MinPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MinPasswordLength</maml:name><maml:description><maml:para>Specifies the minimum number of characters that a password must contain. This parameter sets the MinPasswordLength property of the password policy. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinPasswordLength 15 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordHistoryCount</maml:name><maml:description><maml:para>Specifies the number of previous passwords to save. A user cannot reuse a password in the list of saved passwords. This parameter sets the PasswordHistoryCount property for a password policy. </maml:para><maml:para>The following example shows how to set this parameter to save 10 previous passwords. </maml:para><maml:para>-PasswordHistoryCount 10 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReversibleEncryptionEnabled</maml:name><maml:description><maml:para>Specifies whether the directory must store passwords using reversible encryption. This parameter sets the ReversibleEncryption property for a password policy. Possible values for this parameter include the following: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ReversibleEncryptionEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ComplexityEnabled</maml:name><maml:description><maml:para>Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain three of the following five character types: </maml:para><maml:para>Uppercase characters (A, B, C, D, E, ...) </maml:para><maml:para>Lowercase characters (a, b, c, d, e, ...) </maml:para><maml:para>Numerals (0, 1, 2, 3, ...) </maml:para><maml:para>Alpha numeric (ABC123, BCF678, YUH321, kju657, ...) </maml:para><maml:para>Special characters (#, $, *, %, ...) </maml:para><maml:para>This parameter sets the ComplexityEnabled property of a password policy. </maml:para><maml:para>Possible values for this parameter include: </maml:para><maml:para>$false or 0 - Disables password complexity </maml:para><maml:para>$true or 1 - Enables password complexity </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ComplexityEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a fine-grained password policy object to use as a template for a new fine-grained password policy object. </maml:para><maml:para>You can use an instance of an existing fine-grained password policy object as a template or you can construct a new fine-grained password policy object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new fine-grained password policy object. </maml:para><maml:para>Method 1: Use an existing fine-grained password policy object as a template for a new object. To retrieve an instance of an existing fine-grained password policy object, use a cmdlet such as Get-ADFineGrainedPasswordPolicy. Then provide this object to the Instance parameter of the New-ADFineGrainedPasswordPolicy cmdlet to create a new fine-grained password policy object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicy90 </maml:para><maml:para>New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $fineGrainedPasswordPolicyInstance -Precedence 600 -MaxPasswordAge "180" </maml:para><maml:para>Method 2: Create a new ADFineGrainedPasswordPolicy object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADFineGrainedPasswordPolicy cmdlet to create the new Active Directory fine-grained password policy object. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance = new-object Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>$fineGrainedPasswordPolicyInstance.MaxPasswordAge = "180" </maml:para><maml:para>New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $fineGrainedPasswordPolicyInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LockoutDuration</maml:name><maml:description><maml:para>Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. You cannot login to an account that is locked until the lockout duration time period has expired. This parameter sets the lockoutDuration property of a password policy object. The LDAP display name (ldapDisplayName) of this property is "msDS-LockoutDuration". </maml:para><maml:para>The lockout duration must be greater than or equal to the lockout observation time for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. </maml:para><maml:para>Specify the lockout duration time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutDuration "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutDuration "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutDuration "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>LockoutDuration "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>0.00:30:00 (30 Minutes)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LockoutObservationWindow</maml:name><maml:description><maml:para>Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. An account is locked when the number of unsuccessful login attempts exceeds the password policy lockout threshold. This parameter sets the lockoutObservationWindow property of a password policy object. The LDAP Display Name (ldapDisplayName) of this property is "msDS-lockoutObservationWindow". </maml:para><maml:para>The lockout observation window must be smaller than or equal to the lockout duration for a password policy. Use the LockoutDuration parameter to set the lockout duration time. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D:H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutObservationWindow "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutObservationWindow "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutObservationWindow "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-LockoutObservationWindow "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>0.00.30.00 (30 Minutes)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LockoutThreshold</maml:name><maml:description><maml:para>Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. This number increases when the time between unsuccessful login attempts is less than the time specified for the lockout observation time window. This parameter sets the LockoutThreshold property of a password policy. </maml:para><maml:para>The following example shows how to set the lockout threshold to 3 login attempts. </maml:para><maml:para>-LockoutThreshold 3 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>0</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MaxPasswordAge</maml:name><maml:description><maml:para>Specifies the maximum length of time that you can have the same password. After this time period, the password expires and you must create a new one. </maml:para><maml:para>This parameter sets the maxPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "maxPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>MaxPasswordAge "2" </maml:para><maml:para>Set the time span to the previous 2 days </maml:para><maml:para>MaxPasswordAge "-2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>MaxPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>MaxPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>MaxPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>42.00:00:00 (42 days)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MinPasswordAge</maml:name><maml:description><maml:para>Specifies the minimum length of time before you can change a password. </maml:para><maml:para>This parameter sets the minPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "minPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>-MinPasswordAge "2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>-MinPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>-MinPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>-MinPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>1.00:00:00 (1day)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MinPasswordLength</maml:name><maml:description><maml:para>Specifies the minimum number of characters that a password must contain. This parameter sets the MinPasswordLength property of the password policy. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinPasswordLength 15 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>7</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordHistoryCount</maml:name><maml:description><maml:para>Specifies the number of previous passwords to save. A user cannot reuse a password in the list of saved passwords. This parameter sets the PasswordHistoryCount property for a password policy. </maml:para><maml:para>The following example shows how to set this parameter to save 10 previous passwords. </maml:para><maml:para>-PasswordHistoryCount 10 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>24</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Precedence</maml:name><maml:description><maml:para>Specifies a value that defines the precedence of a fine-grained password policy among all fine-grained password policies. This parameter sets the Precedence property for a fine-grained password policy. The LDAP display name (ldapDisplayName) for this property is "msDS-PasswordSettingsPrecedence". </maml:para><maml:para>This value determines which password policy to use when more than one password policy applies to a user or group. When there is a conflict, the password policy that has the lower Precedence property value has higher priority. For example, if PasswordPolicy1 has a Precedence property value of 200 and PasswordPolicy2 has a Precedence property value of 100, PasswordPolicy2 is used. </maml:para><maml:para>Typically, password policy precedence values are assigned in multiples of 10 or 100, making it easier to add policies at a later time. For example, if you set the initial precedence values for your policies to 100 and 200, you can add another policy that has precedence value of 150. </maml:para><maml:para>If the specified Precedence parameter is already assigned to another password policy object, the cmdlet returns a terminating error. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Precedence 100 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReversibleEncryptionEnabled</maml:name><maml:description><maml:para>Specifies whether the directory must store passwords using reversible encryption. This parameter sets the ReversibleEncryption property for a password policy. Possible values for this parameter include the following: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ReversibleEncryptionEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine grained password policy object that is a template for the new fine grained password policy object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new fine grained password policy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new Fine Grained Password Policy object named 'DomainUsersPSO' and set the Precedence, ComplexityEnabled, Description, DisplayName, LockoutDuration, LockoutObservationWindw, and LockoutThreshold properties on the object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$templatePSO = New-Object Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy $templatePSO.ComplexityEnabled = $true $templatePSO.LockoutDuration = [TimeSpan]::Parse("0.12:00:00") $templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00") $templatePSO.LockoutThreshold = 10 $templatePSO.MinPasswordAge = [TimeSpan]::Parse("0.00:10:00") $templatePSO.PasswordHistoryCount = 24 $templatePSO.ReversibleEncryptionEnabled = $false New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "SvcAccPSO" -Precedence 100 -Description "The Service Accounts Password Policy" -DisplayName "Service Accounts PSO" -MaxPasswordAge "30.00:00:00" -MinPasswordLength 20 New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "AdminsPSO" -Precedence 200 -Description "The Domain Administrators Password Policy" -DisplayName "Domain Administrators PSO" -MaxPasswordAge "15.00:00:00" -MinPasswordLength 10 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create two new Fine Grained Password Policy object using a template object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291066</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADGroup</command:name><maml:description><maml:para>Creates an Active Directory group. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADGroup</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADGroup cmdlet creates a new Active Directory group object. Many object properties are defined by setting cmdlet parameters. Properties that cannot be set by cmdlet parameters can be set using the OtherAttributes parameter. </maml:para><maml:para>The Name and GroupScope parameters specify the name and scope of the group and are required to create a new group. You can define the new group as a security or distribution group by setting the GroupType parameter. The Path parameter specifies the container or organizational unit (OU) for the group. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADGroup cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new group object or retrieve a copy of an existing group object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the New-ADGroup cmdlet to create multiple Active Directory group objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADGroup cmdlet to create the group objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADGroup</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""><maml:name>GroupScope</maml:name><maml:description><maml:para>Specifies the group scope of the group. Possible values of this parameter are: </maml:para><maml:para>DomainLocal or 0 </maml:para><maml:para>Global or 1 </maml:para><maml:para>Universal or 2 </maml:para><maml:para>This parameter sets the GroupScope property of a group object to the specified value. The LDAP display name of this property is "groupType". </maml:para><maml:para>The following example shows two ways to set this parameter to DomainLocal. </maml:para><maml:para>-GroupScope DomainLocal </maml:para><maml:para>-GroupScope 0 </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">DomainLocal</command:parameterValue><command:parameterValue required="true" variableLength="false">Global</command:parameterValue><command:parameterValue required="true" variableLength="false">Universal</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>GroupCategory</maml:name><maml:description><maml:para>Specifies the category of the group. Possible values of this parameter are: </maml:para><maml:para>Distribution or 0 </maml:para><maml:para>Security or 1 </maml:para><maml:para>This parameter sets the GroupCategory property of the group. This parameter value combined with other group values sets the LDAP Display Name (ldapDisplayName) attribute named "groupType". </maml:para><maml:para>The following example shows how to specify that a group is a security group. </maml:para><maml:para>-GroupCategory security </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Distribution</command:parameterValue><command:parameterValue required="true" variableLength="false">Security</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a group object to use as a template for a new group object. </maml:para><maml:para>You can use an instance of an existing group object as a template or you can construct a new group object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create group object templates. </maml:para><maml:para>Method 1: Use an existing group object as a template for a new object. Use the Get-ADGroup cmdlet to retrieve a group object then pass this object to the Instance parameter of the New-ADGroup cmdlet to create a new group object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$groupInstance = Get-ADGroup -Identity "KarenTohReports" </maml:para><maml:para>New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance GroupType DomainLocal </maml:para><maml:para>Method 2: Create a new ADGroup object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADGroup cmdlet to create the new group object. </maml:para><maml:para>$groupTemplate = New-Object Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>$groupTemplateGroupType = DomainLocal </maml:para><maml:para>New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>GroupCategory</maml:name><maml:description><maml:para>Specifies the category of the group. Possible values of this parameter are: </maml:para><maml:para>Distribution or 0 </maml:para><maml:para>Security or 1 </maml:para><maml:para>This parameter sets the GroupCategory property of the group. This parameter value combined with other group values sets the LDAP Display Name (ldapDisplayName) attribute named "groupType". </maml:para><maml:para>The following example shows how to specify that a group is a security group. </maml:para><maml:para>-GroupCategory security </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroupCategory</command:parameterValue><dev:type><maml:name>ADGroupCategory</maml:name><maml:uri /></dev:type><dev:defaultValue>Security</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""><maml:name>GroupScope</maml:name><maml:description><maml:para>Specifies the group scope of the group. Possible values of this parameter are: </maml:para><maml:para>DomainLocal or 0 </maml:para><maml:para>Global or 1 </maml:para><maml:para>Universal or 2 </maml:para><maml:para>This parameter sets the GroupScope property of a group object to the specified value. The LDAP display name of this property is "groupType". </maml:para><maml:para>The following example shows two ways to set this parameter to DomainLocal. </maml:para><maml:para>-GroupScope DomainLocal </maml:para><maml:para>-GroupScope 0 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroupScope</command:parameterValue><dev:type><maml:name>ADGroupScope</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a group object to use as a template for a new group object. </maml:para><maml:para>You can use an instance of an existing group object as a template or you can construct a new group object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create group object templates. </maml:para><maml:para>Method 1: Use an existing group object as a template for a new object. Use the Get-ADGroup cmdlet to retrieve a group object then pass this object to the Instance parameter of the New-ADGroup cmdlet to create a new group object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$groupInstance = Get-ADGroup -Identity "KarenTohReports" </maml:para><maml:para>New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance GroupType DomainLocal </maml:para><maml:para>Method 2: Create a new ADGroup object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADGroup cmdlet to create the new group object. </maml:para><maml:para>$groupTemplate = New-Object Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>$groupTemplateGroupType = DomainLocal </maml:para><maml:para>New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object that is a template for the new group object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group are RODC Administrators" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new group named 'RODC Admins' in the container 'CN=Users,DC=Fabrikam,DC=Com' and set the GroupCategory, DisplayName, GroupScope, and Description properties on the new object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADGroup FabrikamBranch1 -Properties Description | New-ADGroup -Name Branch1Employees -SamAccountName Branch1Employees -GroupCategory Distribution -PassThru GroupScope : Universal Name : Branch1Employees GroupCategory : Distribution SamAccountName : Branch1Employees ObjectClass : group ObjectGUID : 8eebce44-5df7-4bed-a98b-b987a702103e SID : S-1-5-21-41432690-3719764436-1984117282-1117 DistinguishedName : CN=Branch1Employees,CN=Users,DC=Fabrikam,DC=com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new group using the property values from a current group. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADGroup -Server localhost:60000 -Path "OU=AccountDeptOU,DC=AppNC" -Name AccountLeads -GroupScope DomainLocal -GroupCategory Distribution </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new group named 'AccountLeads' on an AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291067</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Import-CSV</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADObject</command:name><maml:description><maml:para>Creates an Active Directory object. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new user account. You can use this cmdlet to create any type of Active Directory object. Many object properties are defined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using the OtherAttributes parameter. </maml:para><maml:para>You must set the Name and Type parameters to create a new Active Directory object. The Name specifies the name of the new object. The Type parameter specifies the LDAP display name of the Active Directory Schema Class that represents the type of object you want to create. Examples of Type values include computer, group, organizational unit, and user. </maml:para><maml:para>The Path parameter specifies the container where the object will be created.. When you do not specify the Path parameter, the cmdlet creates an object in the default naming context container for Active Directory objects in the domain. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADObject cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new Active Directory object or retrieve a copy of an existing Active Directory object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. For information about Active Directory cmdlets use the Instance parameter, see about_ActiveDirectory_Instance. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the New-ADObject cmdlet to create multiple Active Directory objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADObject cmdlet to create the Active Directory objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""><maml:name>Type</maml:name><maml:description><maml:para>Specifies the type of object to create. Set the Type parameter to the LDAP display name of the Active Directory Schema Class that represents the type of object that you want to create. Examples of type values include user, computer, and group. </maml:para><maml:para>The following example shows how to use this parameter to create a new Active Directory group object. </maml:para><maml:para>-Type "group" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""><maml:name>Type</maml:name><maml:description><maml:para>Specifies the type of object to create. Set the Type parameter to the LDAP display name of the Active Directory Schema Class that represents the type of object that you want to create. Examples of type values include user, computer, and group. </maml:para><maml:para>The following example shows how to use this parameter to create a new Active Directory group object. </maml:para><maml:para>-Type "group" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object that is a template for the new object is received by the Instance parameter. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>-Microsoft.ActiveDirectory.Management.ADPartition </maml:para><maml:para>-Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>-Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>-Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>-Microsoft.ActiveDirectory.Management.ADComputer </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new Active Directory object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADObject -Name '192.168.1.0/26' -Type subnet -Description '192.168.1.0/255.255.255.192' -OtherAttributes @{location="Building A";siteObject="CN=HQ,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM"} -Path "CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a subnet object in the HQ site with the described attributes. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$subnetTemplate = get-adobject -Identity "CN=192.168.1.0/26,CN=Subnets,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com" -properties description,location; new-adobject -instance $subnetTemplate -name "192.168.1.0/28" -type subnet -path "CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new subnet object, using a different subnet object as a template </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADObject -name SaraDavisContact -type contact -ProtectedFromAccidentalDeletion $true -OtherAttributes @{'msDS-SourceObjectDN'="CN=FabrikamContacts,DC=CONTOSO,DC=COM"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new contact object, sets the msDS-SourceObjectDN property and protects the object from accidental deletion </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>new-adobject -name Apps -type container -path "DC=AppNC" -server "FABRIKAM-SRV1:60000" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new container object named 'Apps' in an LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291068</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Move-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Rename-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Restore-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADOrganizationalUnit</command:name><maml:description><maml:para>Creates a new Active Directory organizational unit.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADOrganizationalUnit</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADOrganizationalUnit cmdlet creates a new Active Directory organizational unit. You can set commonly used organizational unit property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. </maml:para><maml:para>You must set the Name parameter to create a new organizational unit. When you do not specify the Path parameter, the cmdlet creates an organizational unit under the default NC head for the domain. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADOrganizationalUnit cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new organizational unit object or retrieve a copy of an existing organizational unit object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the New-ADOrganizationalUnit cmdlet to create multiple Active Directory organizational unit objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADOrganizationalUnit cmdlet to create the organizational unit objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADOrganizationalUnit</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an organizational unit object to use as a template for a new organizational unit object. </maml:para><maml:para>You can use an instance of an existing organizational unit object as a template or you can construct a new organizational unit object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create organizational unit object templates. </maml:para><maml:para>Method 1: Use an existing organizational unit object as a template for a new object. To retrieve an instance of an existing organizational unit object use Get-ADOrganizationalUnit. Then provide this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create a new organizational unit object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$organizationalUnitInstance = Get-ADOrganizationalUnit -Identity accountingAsia </maml:para><maml:para>New-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance -Country Australia </maml:para><maml:para>Method 2: Create a new ADOrganizationalUnit object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create the new Active Directory organizational unit object. </maml:para><maml:para>$OrganizationalUnitInstance = new-object Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>$OrganizationalUnitInstance.Country = Australia </maml:para><maml:para>New-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the organizational unit's street address. This parameter sets the StreetAddress property of a organizational unit object. The LDAP display name (ldapDisplayName) of this property is "street". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an organizational unit object to use as a template for a new organizational unit object. </maml:para><maml:para>You can use an instance of an existing organizational unit object as a template or you can construct a new organizational unit object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create organizational unit object templates. </maml:para><maml:para>Method 1: Use an existing organizational unit object as a template for a new object. To retrieve an instance of an existing organizational unit object use Get-ADOrganizationalUnit. Then provide this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create a new organizational unit object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$organizationalUnitInstance = Get-ADOrganizationalUnit -Identity accountingAsia </maml:para><maml:para>New-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance -Country Australia </maml:para><maml:para>Method 2: Create a new ADOrganizationalUnit object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create the new Active Directory organizational unit object. </maml:para><maml:para>$OrganizationalUnitInstance = new-object Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>$OrganizationalUnitInstance.Country = Australia </maml:para><maml:para>New-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue><dev:type><maml:name>ADOrganizationalUnit</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the organizational unit's street address. This parameter sets the StreetAddress property of a organizational unit object. The LDAP display name (ldapDisplayName) of this property is "street". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An organizational unit object that is a template for the new organizational unit object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new organizational unit object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new OrganizationalUnit named 'UserAccounts' which is protected from accidental deletion. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM" -ProtectedFromAccidentalDeletion $false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new OrganizationalUnit named 'UserAccounts' which is not protected from deletion. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM" -OtherAttributes @{seeAlso="CN=HumanResourceManagers,OU=Groups,OU=Managed,DC=Fabrikam,DC=com";managedBy="CN=TomC,DC=FABRIKAM,DC=COM"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates an OrganizationalUnit name 'UserAccounts' which is protected from accidental deletion with properties 'seeAlso' and 'managedBy' set to the specified values. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$ouTemplate = Get-ADOrganizationalUnit "OU=UserAccounts,DC=Fabrikam,DC=com" -properties seeAlso,managedBy; New-ADOrganizationalUnit -name TomCReports -instance $ouTemplate </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Uses the data from the OrganizationalUnit 'OU=UserAccounts,DC=Fabrikam,DC=com' as a template for another new OrganizationalUnit. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADOrganizationalUnit -name "Managed" -path "DC=AppNC" -server "FABRIKAM-SRV1:60000" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new OrganizationalUnit named 'Managed' in an LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291069</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADReplicationSite</command:name><maml:description><maml:para>Creates a new Active Directory replication site in the directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADReplicationSite</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADReplicationSite cmdlet is used to create new sites in Active Directory replication. Sites are used in Active Directory to either enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce network traffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADReplicationSite</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies a name for the replication site object. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AutomaticInterSiteTopologyGenerationEnabled</maml:name><maml:description><maml:para>Prevents the KCC that functions as the intersite topology generator (ISTG) from generating connections for intersite replication. Use this option when you want to create manual intersite connections (disable the ISTG) but retain the KCC to generate intrasite connections. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AutomaticTopologyGenerationEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from generating intrasite connections on all servers in the site. Disable this option if you use manual connections and do not want the KCC to build connections automatically. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site object to use as a template for a new site object. </maml:para><maml:para>You can use an instance of an existing site object as a template or you can construct a new site object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site object. </maml:para><maml:para>Method 1: Use an existing site object as a template for a new object. To retrieve an instance of an existing site object, use the Get-ADReplicationSite cmdlet. Then provide this site object to the Instance parameter of the New-ADReplicationSite cmdlet to create a new site object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSite -Identity NorthAmerica </maml:para><maml:para>New-ADReplicationSite -Name "SouthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSite and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSite cmdlet to create the new site object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSite </maml:para><maml:para>$objectInstance.Description = "North America" </maml:para><maml:para>New-ADReplicationSite -Name "NorthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>InterSiteTopologyGenerator</maml:name><maml:description><maml:para>The server acting as the inter-site topology generator for this site. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>RedundantServerTopologyEnabled</maml:name><maml:description><maml:para>Creates redundant connections between sites before a failure takes place. When enabled, disables KCC failover. Requires that automatic detection of failed connections also be disabled (+IS_TOPL_DETECT_STALE_DISABLED). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Default replication schedule for connections within this site (intra-site replication). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ScheduleHashingEnabled</maml:name><maml:description><maml:para>Spreads replication start times randomly across the entire schedule interval rather than just the first quarter of the interval. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TopologyCleanupEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from removing connection objects that it does not need. Disable this option if you want to take responsibility for removing old redundant connections. Alternatively, to control or augment the topology, you can use manual connections, which the KCC does not delete. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TopologyDetectStaleEnabled</maml:name><maml:description><maml:para>Prevents the KCC from excluding servers that are unreachable from the topology; that is, the KCC does use an alternate server to reroute replication. Use this option only if network communication is very unstable and brief outages are expected. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TopologyMinimumHopsEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from generating optimizing connections in the ring topology of intrasite replication. Optimizing connections reduce the replication latency in the site and disabling them is not recommended. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UniversalGroupCachingEnabled</maml:name><maml:description><maml:para>True if this site caches universal groups (those on GCs); useful in sites with no local GC. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UniversalGroupCachingRefreshSite</maml:name><maml:description><maml:para>If universal group caching is enabled, the name of the site from which the cache is pulled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2000BridgeheadSelectionMethodEnabled</maml:name><maml:description><maml:para>Implements the Windows 2000 Server method of selecting a single bridgehead server per directory partition and transport. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2000KCCISTGSelectionBehaviorEnabled</maml:name><maml:description><maml:para>Off by default. When enabled, implements the Windows 2000 Server method of ISTG selection. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2003KCCBehaviorEnabled</maml:name><maml:description><maml:para>Implements KCC operation that is consistent with Windows Server 2003 forest functional level. This option can be set if all domain controllers in the site are running Windows Server 2003. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2003KCCIgnoreScheduleEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides KCC control of the ability to ignore schedules (replication occurs at the designated intervals and is always available). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2003KCCSiteLinkBridgingEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides KCC control of the ability to enable or disable site link bridging. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AutomaticInterSiteTopologyGenerationEnabled</maml:name><maml:description><maml:para>Prevents the KCC that functions as the intersite topology generator (ISTG) from generating connections for intersite replication. Use this option when you want to create manual intersite connections (disable the ISTG) but retain the KCC to generate intrasite connections. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AutomaticTopologyGenerationEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from generating intrasite connections on all servers in the site. Disable this option if you use manual connections and do not want the KCC to build connections automatically. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site object to use as a template for a new site object. </maml:para><maml:para>You can use an instance of an existing site object as a template or you can construct a new site object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site object. </maml:para><maml:para>Method 1: Use an existing site object as a template for a new object. To retrieve an instance of an existing site object, use the Get-ADReplicationSite cmdlet. Then provide this site object to the Instance parameter of the New-ADReplicationSite cmdlet to create a new site object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSite -Identity NorthAmerica </maml:para><maml:para>New-ADReplicationSite -Name "SouthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSite and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSite cmdlet to create the new site object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSite </maml:para><maml:para>$objectInstance.Description = "North America" </maml:para><maml:para>New-ADReplicationSite -Name "NorthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>InterSiteTopologyGenerator</maml:name><maml:description><maml:para>The server acting as the inter-site topology generator for this site. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue><dev:type><maml:name>ADDirectoryServer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies a name for the replication site object. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>RedundantServerTopologyEnabled</maml:name><maml:description><maml:para>Creates redundant connections between sites before a failure takes place. When enabled, disables KCC failover. Requires that automatic detection of failed connections also be disabled (+IS_TOPL_DETECT_STALE_DISABLED). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Default replication schedule for connections within this site (intra-site replication). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue><dev:type><maml:name>ActiveDirectorySchedule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ScheduleHashingEnabled</maml:name><maml:description><maml:para>Spreads replication start times randomly across the entire schedule interval rather than just the first quarter of the interval. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TopologyCleanupEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from removing connection objects that it does not need. Disable this option if you want to take responsibility for removing old redundant connections. Alternatively, to control or augment the topology, you can use manual connections, which the KCC does not delete. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TopologyDetectStaleEnabled</maml:name><maml:description><maml:para>Prevents the KCC from excluding servers that are unreachable from the topology; that is, the KCC does use an alternate server to reroute replication. Use this option only if network communication is very unstable and brief outages are expected. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TopologyMinimumHopsEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from generating optimizing connections in the ring topology of intrasite replication. Optimizing connections reduce the replication latency in the site and disabling them is not recommended. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UniversalGroupCachingEnabled</maml:name><maml:description><maml:para>True if this site caches universal groups (those on GCs); useful in sites with no local GC. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UniversalGroupCachingRefreshSite</maml:name><maml:description><maml:para>If universal group caching is enabled, the name of the site from which the cache is pulled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2000BridgeheadSelectionMethodEnabled</maml:name><maml:description><maml:para>Implements the Windows 2000 Server method of selecting a single bridgehead server per directory partition and transport. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2000KCCISTGSelectionBehaviorEnabled</maml:name><maml:description><maml:para>Off by default. When enabled, implements the Windows 2000 Server method of ISTG selection. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2003KCCBehaviorEnabled</maml:name><maml:description><maml:para>Implements KCC operation that is consistent with Windows Server 2003 forest functional level. This option can be set if all domain controllers in the site are running Windows Server 2003. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2003KCCIgnoreScheduleEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides KCC control of the ability to ignore schedules (replication occurs at the designated intervals and is always available). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>WindowsServer2003KCCSiteLinkBridgingEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides KCC control of the ability to enable or disable site link bridging. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site object that is a template for the new site object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSite NorthAmerica </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site named 'NorthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSite Europe -AutomaticInterSiteTopologyGenerationEnabled $FALSE </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site named 'Europe', and set the AutomaticInterSiteTopologyGenerationEnabled property on the new object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; $schedule.ResetSchedule(); $schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); New-ADReplicationSite Asia -ReplicationSchedule $schedule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site named 'Asia', and set the daily ReplicationSchedule from 20:00 to 22:30. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291070</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADReplicationSiteLink</command:name><maml:description><maml:para>Creates a new Active Directory site link for in managing replication.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADReplicationSiteLink</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADReplicationSiteLink cmdlet can be used to create a new Active Directory site link. A site link connects two or more sites. Site links reflect the administrative policy for how sites are to be interconnected and the methods used to transfer replication traffic. You must connect sites with site links so that domain controllers at each site can replicate Active Directory changes. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADReplicationSiteLink</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the site link. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Europe-NorthAmerica" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>SitesIncluded</maml:name><maml:description><maml:para>Specifies the list of sites included in the site link. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADReplicationSite[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Cost</maml:name><maml:description><maml:para>Specifies the cost to be placed on the site link. For more information on determining the cost, see the following topic called "Determining the Cost" in the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=221871 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link object to use as a template for a new site link object. </maml:para><maml:para>You can use an instance of an existing site link object as a template or you can construct a new site link object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link object. </maml:para><maml:para>Method 1: Use an existing site link object as a template for a new object. To retrieve an instance of an existing site link object, use a cmdlet such as Get-ADReplicationSiteLink. Then provide this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLink -Identity "NorthAmerica-SouthAmerica" </maml:para><maml:para>New-ADReplicationSiteLink -Name "Europe-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLink and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create the new site link object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLink </maml:para><maml:para>$objectInstance.Description = "Between North America and South America." </maml:para><maml:para>New-ADReplicationSiteLink -Name "NorthAmerica-SouthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>InterSiteTransportProtocol</maml:name><maml:description><maml:para>Specifies a valid intersite transport protocol option. Supported protocol options for the New-ADReplicationSiteLink cmdlet include the following: IP, SMTP. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">IP</command:parameterValue><command:parameterValue required="true" variableLength="false">SMTP</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReplicationFrequencyInMinutes</maml:name><maml:description><maml:para>Species the frequency (in minutes) for which replication will occur where this site link is in use between sites. Active Directory preserves bandwidth between sites by minimizing the frequency of replication and by allowing you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your specific needs. Be aware that increasing this frequency increases the amount of bandwidth used by replication. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Specifies the default replication schedule for any connections within this site link (intra-site replication). This allows you to schedule the availability of site links for use by replication. By default, a site link is available to carry replication traffic 24 hours a day, 7 days a week. You can limit this schedule to specific days of the week and times of day. You can, for example, schedule intersite replication so that it only occurs after normal business hours. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Cost</maml:name><maml:description><maml:para>Specifies the cost to be placed on the site link. For more information on determining the cost, see the following topic called "Determining the Cost" in the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=221871 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link object to use as a template for a new site link object. </maml:para><maml:para>You can use an instance of an existing site link object as a template or you can construct a new site link object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link object. </maml:para><maml:para>Method 1: Use an existing site link object as a template for a new object. To retrieve an instance of an existing site link object, use a cmdlet such as Get-ADReplicationSiteLink. Then provide this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLink -Identity "NorthAmerica-SouthAmerica" </maml:para><maml:para>New-ADReplicationSiteLink -Name "Europe-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLink and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create the new site link object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLink </maml:para><maml:para>$objectInstance.Description = "Between North America and South America." </maml:para><maml:para>New-ADReplicationSiteLink -Name "NorthAmerica-SouthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue><dev:type><maml:name>ADReplicationSiteLink</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>InterSiteTransportProtocol</maml:name><maml:description><maml:para>Specifies a valid intersite transport protocol option. Supported protocol options for the New-ADReplicationSiteLink cmdlet include the following: IP, SMTP. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADInterSiteTransportProtocolType</command:parameterValue><dev:type><maml:name>ADInterSiteTransportProtocolType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the site link. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Europe-NorthAmerica" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReplicationFrequencyInMinutes</maml:name><maml:description><maml:para>Species the frequency (in minutes) for which replication will occur where this site link is in use between sites. Active Directory preserves bandwidth between sites by minimizing the frequency of replication and by allowing you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your specific needs. Be aware that increasing this frequency increases the amount of bandwidth used by replication. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Specifies the default replication schedule for any connections within this site link (intra-site replication). This allows you to schedule the availability of site links for use by replication. By default, a site link is available to carry replication traffic 24 hours a day, 7 days a week. You can limit this schedule to specific days of the week and times of day. You can, for example, schedule intersite replication so that it only occurs after normal business hours. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue><dev:type><maml:name>ActiveDirectorySchedule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>SitesIncluded</maml:name><maml:description><maml:para>Specifies the list of sites included in the site link. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADReplicationSite[]</command:parameterValue><dev:type><maml:name>ADReplicationSite[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link object that is a template for the new site link object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSiteLink "NorthAmerica-Europe" -SitesIncluded NorthAmerica,Europe </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site link named 'NorthAmerica-Europe' linking the two sites 'NorthAmerica' and 'Europe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSiteLink "Europe-Asia" -SitesIncluded Europe,Asia -Cost 100 -ReplicationFrequencyInMinutes 15 -InterSiteTransportProtocol IP </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site link named 'Europe-Asia' linking two sites 'Europe' and 'Asia', and set the Cost, ReplicationFrequencyInMinutes and InterSiteTransportProtocol on the new object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; $schedule.ResetSchedule(); $schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); New-ADReplicationSiteLink "NorthAmerica-SouthAmerica" -SitesIncluded NorthAmerica,SouthAmerica -ReplicationSchedule $schedule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site link named 'NorthAmerica-SouthAmerica' linking two sites 'NorthAmerica' and 'SouthAmerica', and set the daily ReplicationSchedule from 20:00 to 22:30. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSiteLink "Europe-Asia" -SitesIncluded Europe,Asia -OtherAttributes @{'options'=1} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site link named 'Europe-Asia' linking two sites 'Europe' and 'Asia', and enable change notification on the new object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291071</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADReplicationSiteLinkBridge</command:name><maml:description><maml:para>Creates a new site link bridge in Active Directory for replication.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADReplicationSiteLinkBridge</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADReplicationSiteLinkBridge cmdlet creates a new site link bridge in Active Directory for use in replication. A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADReplicationSiteLinkBridge</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the replication site link bridge object. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>SiteLinksIncluded</maml:name><maml:description><maml:para>Contains an array of site links that are included in this site link bridge. Accepted values for this parameter are the distinguished name (DN), a GUID, or the name of a site link. This parameter must contain two sites upon creation or else the Instance parameter must be included and used. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADReplicationSiteLink[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link bridge object to use as a template for a new site link bridge object. </maml:para><maml:para>You can use an instance of an existing site link bridge object as a template or you can construct a new site link bridge object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link bridge object. </maml:para><maml:para>Method 1: Use an existing site link bridge object as a template for a new object. To retrieve an instance of an existing Active Directory object, use the Get-ADReplicationSiteLinkBridge cmdlet. Then provide this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create a new site link bridge object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLinkBridge -Identity "NorthAmerica-Asia" </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "SouthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLinkBridge and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create the new site link bridge object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge </maml:para><maml:para>$objectInstance.Description = "Between North America and Asia." </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "NorthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>InterSiteTransportProtocol</maml:name><maml:description><maml:para>Specifies the valid InterSite Transport Protocol for use with this site link bridge. Acceptable options for this parameter include the following: </maml:para><maml:para>- IP </maml:para><maml:para>- SMTP </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">IP</command:parameterValue><command:parameterValue required="true" variableLength="false">SMTP</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link bridge object to use as a template for a new site link bridge object. </maml:para><maml:para>You can use an instance of an existing site link bridge object as a template or you can construct a new site link bridge object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link bridge object. </maml:para><maml:para>Method 1: Use an existing site link bridge object as a template for a new object. To retrieve an instance of an existing Active Directory object, use the Get-ADReplicationSiteLinkBridge cmdlet. Then provide this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create a new site link bridge object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLinkBridge -Identity "NorthAmerica-Asia" </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "SouthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLinkBridge and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create the new site link bridge object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge </maml:para><maml:para>$objectInstance.Description = "Between North America and Asia." </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "NorthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue><dev:type><maml:name>ADReplicationSiteLinkBridge</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>InterSiteTransportProtocol</maml:name><maml:description><maml:para>Specifies the valid InterSite Transport Protocol for use with this site link bridge. Acceptable options for this parameter include the following: </maml:para><maml:para>- IP </maml:para><maml:para>- SMTP </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADInterSiteTransportProtocolType</command:parameterValue><dev:type><maml:name>ADInterSiteTransportProtocolType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the replication site link bridge object. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>SiteLinksIncluded</maml:name><maml:description><maml:para>Contains an array of site links that are included in this site link bridge. Accepted values for this parameter are the distinguished name (DN), a GUID, or the name of a site link. This parameter must contain two sites upon creation or else the Instance parameter must be included and used. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADReplicationSiteLink[]</command:parameterValue><dev:type><maml:name>ADReplicationSiteLink[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link bridge object that is a template for the new site link bridge object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, all site links are bridged (transitive) and creating a site link design is not required. We recommend that you keep transitivity enabled by not changing this default. However, you will need to disable bridging for all site links and complete a site link bridge design if either of the following is true: </maml:para><maml:para>- Your IP network is not fully routed. </maml:para><maml:para>- You need to control the replication flow of the changes made in Active Directory Domain Services (AD DS). </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSiteLinkBridge "NorthAmerica-Asia" -SiteLinksIncluded "NorthAmerica-Europe","Europe-Asia" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site link bridge named 'NorthAmerica-Asia' bridging the two sites links 'NorthAmerica-Europe' and 'Europe-Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSiteLinkBridge "NorthAmerica-Asia" -SiteLinksIncluded "NorthAmerica-Europe","Europe-Asia" -InterSiteTransportProtocol IP </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new site link bridge named 'NorthAmerica-Asia' bridging the two sites links 'NorthAmerica-Europe' and 'Europe-Asia', and set the InterSiteTransportProtocol on the new object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291072</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADReplicationSubnet</command:name><maml:description><maml:para>Creates a new Active Directory replication subnet object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADReplicationSubnet</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADReplicationSubnet cmdlet creates a new Active Directory subnet object. Subnet objects (class subnet) define network subnets in Active Directory. A network subnet is a segment of a TCP/IP network to which a set of logical IP addresses is assigned. Subnets group computers in a way that identifies their physical proximity on the network. Subnet objects in Active Directory are used to map computers to sites. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADReplicationSubnet</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the subnet. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>Subnet names in Active Directory take the form "network/bits masked" (for example, the subnet object 172.16.72.0/22 has a subnet of 172.16.72.0 and a 22-bit subnet mask). </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "172.16.72.0/22" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Site</maml:name><maml:description><maml:para>The site associated with this subnet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a subnet object to use as a template for a new subnet object. </maml:para><maml:para>You can use an instance of an existing subnet object as a template or you can construct a new subnet object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new subnet object. </maml:para><maml:para>Method 1: Use an existing subnet object as a template for a new subnet object. To retrieve an instance of an existing subnet object, use the Get-ADReplicationSubnet cmdlet. Then provide this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create a new subnet object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSubnet -Identity "10.0.0.0/25" </maml:para><maml:para>New-ADReplicationSubnet -Name "12.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSubnet and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create the new subnet object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSubnet </maml:para><maml:para>$objectInstance.Description = "Branch office subnet." </maml:para><maml:para>New-ADReplicationSubnet -Name "10.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>A description of the physical location of this subnet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a subnet object to use as a template for a new subnet object. </maml:para><maml:para>You can use an instance of an existing subnet object as a template or you can construct a new subnet object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new subnet object. </maml:para><maml:para>Method 1: Use an existing subnet object as a template for a new subnet object. To retrieve an instance of an existing subnet object, use the Get-ADReplicationSubnet cmdlet. Then provide this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create a new subnet object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSubnet -Identity "10.0.0.0/25" </maml:para><maml:para>New-ADReplicationSubnet -Name "12.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSubnet and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create the new subnet object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSubnet </maml:para><maml:para>$objectInstance.Description = "Branch office subnet." </maml:para><maml:para>New-ADReplicationSubnet -Name "10.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue><dev:type><maml:name>ADReplicationSubnet</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>A description of the physical location of this subnet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the subnet. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>Subnet names in Active Directory take the form "network/bits masked" (for example, the subnet object 172.16.72.0/22 has a subnet of 172.16.72.0 and a 22-bit subnet mask). </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "172.16.72.0/22" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Site</maml:name><maml:description><maml:para>The site associated with this subnet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A subnet object that is a template for the new subnet object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSubnet -Name "10.0.0.0/25" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new subnet named '10.0.0.0/25'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADReplicationSubnet -Name "10.10.0.0/22" -Site Asia -Location "Tokyo,Japan" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new subnet named '10.10.0.0/22' with 'Asia' as its associated site, and set the Location property to "Tokyo,Japan". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291073</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADResourceProperty</command:name><maml:description><maml:para>Creates a new resource property in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADResourceProperty</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADResourceProperty cmdlet creates a new resource property in the directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADResourceProperty</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the resource property. The display name of the resource property must be unique. </maml:para><maml:para>The display name of a resource property can be used as an identity in other Active Directory cmdlets. For example, if the display name of a resource property is "Country", then you can use 'Get-ADResourceProperty -Identity "Country"' to retrieve the resource property. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToResourceTypes</maml:name><maml:description><maml:para>Specifies the resource types to which this resource property is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the resource property is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ID</maml:name><maml:description><maml:para>Specifies the resource property ID. This is an optional parameter. By default, New-ADResourceProperty generates the ID automatically. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same resource properties need to work across forests. For resource properties to be considered identical across forests, their ID must be the same. </maml:para><maml:para>To specify the ID, the ID string must conform to the following format: </maml:para><maml:para>1. Start with a prefix string of 1 to 15 characters in length. </maml:para><maml:para>2. The prefix string must be followed by an underscore. </maml:para><maml:para>3. The prefix string and underscore must be followed by a suffix string of 1 to 16 characters in length. </maml:para><maml:para>4. All characters contained in either prefix or suffix strings must contain only valid filename characters. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a resource property object to use as a template for a new resource property object. </maml:para><maml:para>You can use an instance of an existing resource property object as a template or you can construct a new resource property object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property object. </maml:para><maml:para>Method 1: Use an existing resource property object as a template for a new object. To retrieve an instance of an existing resource property object, use a cmdlet such as Get-ADResourceProperty. Then provide this object to the Instance parameter of the New-ADResourceProperty cmdlet to create a new resource property object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourceProperty -Identity "Country" </maml:para><maml:para>New-ADResourceProperty -Name "Region" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourceProperty and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourceProperty cmdlet to create the new resource property object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourceProperty </maml:para><maml:para>$objectInstance.Description = "Non-Disclosure Agreement (NDA)" </maml:para><maml:para>New-ADResourceProperty -Name "NDA" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>IsSecured</maml:name><maml:description><maml:para>Used to configure whether the resource property is secure or not. Only secure resource properties can be used for authorization decisions or used within central access rules. Unsecured resource properties cannot be used for these purposes. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SharesValuesWith</maml:name><maml:description><maml:para>Use this parameter to create a reference resource property. Reference resource properties do not provide their own suggested values, but rather use the suggested values from the claim type object specified in this parameter. This enables the resource property to always remain valid for use in comparisons to its referred claim type within a central access rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the resource property. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$us = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US", "United States of America", "United States of America"); </maml:para><maml:para>$jp = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP", "Japan", "Japan"); </maml:para><maml:para>New-ADResourceProperty Country -ResourcePropertyValueType MS-DS-MultivaluedChoice -SuggestedValues $us,$jp </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ResourcePropertyValueType</maml:name><maml:description><maml:para>The parameter specifies the value type for this resource property. When a resource property is passed to a resource manager (e.g., File Server), the resource manager leverages the resource property value type to determine how the resource property should be handled. </maml:para><maml:para>The full list of resource property value types can be retrieved by calling the Get-ADResourcePropertyValueType cmdlet. </maml:para><maml:para>Example: Get-ADResourcePropertyValueType -Filter * | ft Name </maml:para><maml:para>Below is a list of the built-in resource property value types available in Active Directory: </maml:para><maml:para>- MS-DS-SinglevaluedChoice </maml:para><maml:para>- MS-DS-YesNo </maml:para><maml:para>- MS-DS-Number </maml:para><maml:para>- MS-DS-DateTime </maml:para><maml:para>- MS-DS-OrderedList </maml:para><maml:para>- MS-DS-Text </maml:para><maml:para>- MS-DS-MultivaluedText </maml:para><maml:para>- MS-DS-MultivaluedChoice </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyValueType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToResourceTypes</maml:name><maml:description><maml:para>Specifies the resource types to which this resource property is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the resource property. The display name of the resource property must be unique. </maml:para><maml:para>The display name of a resource property can be used as an identity in other Active Directory cmdlets. For example, if the display name of a resource property is "Country", then you can use 'Get-ADResourceProperty -Identity "Country"' to retrieve the resource property. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the resource property is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>False</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ID</maml:name><maml:description><maml:para>Specifies the resource property ID. This is an optional parameter. By default, New-ADResourceProperty generates the ID automatically. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same resource properties need to work across forests. For resource properties to be considered identical across forests, their ID must be the same. </maml:para><maml:para>To specify the ID, the ID string must conform to the following format: </maml:para><maml:para>1. Start with a prefix string of 1 to 15 characters in length. </maml:para><maml:para>2. The prefix string must be followed by an underscore. </maml:para><maml:para>3. The prefix string and underscore must be followed by a suffix string of 1 to 16 characters in length. </maml:para><maml:para>4. All characters contained in either prefix or suffix strings must contain only valid filename characters. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue>Auto-generated</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a resource property object to use as a template for a new resource property object. </maml:para><maml:para>You can use an instance of an existing resource property object as a template or you can construct a new resource property object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property object. </maml:para><maml:para>Method 1: Use an existing resource property object as a template for a new object. To retrieve an instance of an existing resource property object, use a cmdlet such as Get-ADResourceProperty. Then provide this object to the Instance parameter of the New-ADResourceProperty cmdlet to create a new resource property object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourceProperty -Identity "Country" </maml:para><maml:para>New-ADResourceProperty -Name "Region" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourceProperty and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourceProperty cmdlet to create the new resource property object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourceProperty </maml:para><maml:para>$objectInstance.Description = "Non-Disclosure Agreement (NDA)" </maml:para><maml:para>New-ADResourceProperty -Name "NDA" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue><dev:type><maml:name>ADResourceProperty</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>IsSecured</maml:name><maml:description><maml:para>Used to configure whether the resource property is secure or not. Only secure resource properties can be used for authorization decisions or used within central access rules. Unsecured resource properties cannot be used for these purposes. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>True</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ResourcePropertyValueType</maml:name><maml:description><maml:para>The parameter specifies the value type for this resource property. When a resource property is passed to a resource manager (e.g., File Server), the resource manager leverages the resource property value type to determine how the resource property should be handled. </maml:para><maml:para>The full list of resource property value types can be retrieved by calling the Get-ADResourcePropertyValueType cmdlet. </maml:para><maml:para>Example: Get-ADResourcePropertyValueType -Filter * | ft Name </maml:para><maml:para>Below is a list of the built-in resource property value types available in Active Directory: </maml:para><maml:para>- MS-DS-SinglevaluedChoice </maml:para><maml:para>- MS-DS-YesNo </maml:para><maml:para>- MS-DS-Number </maml:para><maml:para>- MS-DS-DateTime </maml:para><maml:para>- MS-DS-OrderedList </maml:para><maml:para>- MS-DS-Text </maml:para><maml:para>- MS-DS-MultivaluedText </maml:para><maml:para>- MS-DS-MultivaluedChoice </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyValueType</command:parameterValue><dev:type><maml:name>ADResourcePropertyValueType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SharesValuesWith</maml:name><maml:description><maml:para>Use this parameter to create a reference resource property. Reference resource properties do not provide their own suggested values, but rather use the suggested values from the claim type object specified in this parameter. This enables the resource property to always remain valid for use in comparisons to its referred claim type within a central access rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the resource property. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$us = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US", "United States of America", "United States of America"); </maml:para><maml:para>$jp = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP", "Japan", "Japan"); </maml:para><maml:para>New-ADResourceProperty Country -ResourcePropertyValueType MS-DS-MultivaluedChoice -SuggestedValues $us,$jp </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue><dev:type><maml:name>ADSuggestedValueEntry[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADResourceProperty Authors -ResourcePropertyValueType MS-DS-MultivaluedText </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new resource property with display name 'Authors'. The resource property allows the names of multiple authors to be specified. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$us = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US", "United States of America", "United States of America"); $jp = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP", "Japan", "Japan"); New-ADResourceProperty Country -ResourcePropertyValueType MS-DS-MultivaluedChoice -SuggestedValues $us,$jp </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new resource property with display name 'Country'. The suggested values are set to 'US' and 'JP'. Applications using this resource property would allow their users to specify one of the suggested values as this resource property's value. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADResourceProperty Country -ResourcePropertyValueType MS-DS-MultivaluedChoice -SharesValuesWith Country </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new reference resource property with display name 'Country'. It uses an existing claim type named 'Country' for its suggested values. This enables the resource property to be always valid for comparisons with the referenced claim type in a central access rule. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADResourceProperty Authors -ResourcePropertyValueType MS-DS-MultivaluedText -ID Authors_60DB20331638 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new resource property with display name 'Authors', and set its ID to 'Authors_60DB20331638'. </maml:para><maml:para>The ID should only be set manually in a multi-forest environment where the same resource property needs to work across forests. By default, New-ADResourceProperty generates the ID automatically. For resource properties to be considered identical across forests, their ID must be the same. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291074</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADResourceProperty</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADResourcePropertyList</command:name><maml:description><maml:para>Creates a new resource property list in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADResourcePropertyList</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADResourcePropertyList cmdlet creates a resource property list in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADResourcePropertyList</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an resource property list object to use as a template for a new resource property list object. </maml:para><maml:para>You can use an instance of an existing resource property list object as a template or you can construct a new resource property list object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property list object. </maml:para><maml:para>Method 1: Use an existing resource property list object as a template for a new object. To retrieve an instance of an existing resource property list object, use a cmdlet such as Get-ADResourcePropertyList. Then provide this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create a new resource property list object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourcePropertyList -Identity "Global Resource Property List" </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourcePropertyList and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create the new resource property list object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourcePropertyList </maml:para><maml:para>$objectInstance.Description = "For finance use only." </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an resource property list object to use as a template for a new resource property list object. </maml:para><maml:para>You can use an instance of an existing resource property list object as a template or you can construct a new resource property list object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property list object. </maml:para><maml:para>Method 1: Use an existing resource property list object as a template for a new object. To retrieve an instance of an existing resource property list object, use a cmdlet such as Get-ADResourcePropertyList. Then provide this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create a new resource property list object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourcePropertyList -Identity "Global Resource Property List" </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourcePropertyList and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create the new resource property list object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourcePropertyList </maml:para><maml:para>$objectInstance.Description = "For finance use only." </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADResourcePropertyList "Corporate Resource Property List" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new resource property list named "Corporate Resource Property List". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADResourcePropertyList "Corporate Resource Property List" -Description "For corporate documents." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new resource property list named "Corporate Resource Property List" with the description "For corporate documents." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList "Corporate Resource Property List" | New-ADResourcePropertyList "Finance Resource Property List" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new resource property list using the property values from a 'Corporate Resource Property List'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291075</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADServiceAccount</command:name><maml:description><maml:para>Creates a new Active Directory managed service account or group managed service account object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADServiceAccount cmdlet creates a new Active Directory managed service account (MSA). By default a group MSA is created. To create a standalone MSA which is linked to a specific computer, the -Standalone parameter is used. To create a group MSA which can only be used in client roles, the -Agent parameter is used. This creates a group MSA which can be used for outbound connections only and attempts to connect to services using this account will fail since the account does not have enough information for authentication to be successful. You can set commonly used MSA property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. </maml:para><maml:para>The Path parameter specifies the container or organizational unit (OU) for the new MSA object. When you do not specify the Path parameter, the cmdlet creates an object in the default Managed Service Accounts container for MSA objects in the domain. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADServiceAccount cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new MSA object or retrieve a copy of an existing MSA object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the New-ADServiceAccount cmdlet to create multiple Active Directory MSA objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADServiceAccount cmdlet to create the MSA objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports compound identity. </maml:para><maml:para>-CompoundIdentitySupported $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type an administrative account name, such as "Admin1" or "Contoso\Admin1" or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then use it to specify the Credential parameter to the ADServiceAccount object. </maml:para><maml:para>The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Contoso\Admin1" </maml:para><maml:para>The following shows how to use the PSCredential object to specify administrative credentials when creating a new ADServiceAccount object by using the Credential parameter. </maml:para><maml:para>New-ADServiceAccount -Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to include this parameter when creating a new service account. </maml:para><maml:para>New-ADServiceAccount -DisplayName "Service Account for use with Contoso LOB Application" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the service account when creating it. </maml:para><maml:para>New-ADServiceAccount -Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL when creating the service account. </maml:para><maml:para>New-ADServiceAccount -HomePage "http://accounts.contoso.com/Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a service account object to use as a template for a new service account object. </maml:para><maml:para>You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create service account object templates. </maml:para><maml:para>Method 1: Use an existing service account object as a template for a new object. To retrieve an instance of an existing service account object, use a cmdlet such as Get-ADServiceAccount. Then provide this object to the Instance parameter of the New-ADServiceAccount cmdlet to create a new service account object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$serviceAccountInstance = Get-ADServiceAccount -Identity </maml:para><maml:para>New-ADServiceAccount -Name "ServiceAdmin2" -Instance $serviceAccountInstance -Description "Service Account 2" </maml:para><maml:para>Method 2: Create a new ADServiceAccount object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADServiceAccount cmdlet to create the new Active Directory service account object. </maml:para><maml:para>$serviceAccountInstance = new-object Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>$serviceAccountInstance. Description "Service Account 2" </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4,AES128,AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedPasswordIntervalInDays</maml:name><maml:description><maml:para>Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object. </maml:para><maml:para>The following example shows how to specify a 90 day password changes interval: </maml:para><maml:para>-ManagedPasswordIntervalInDays 90 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToRetrieveManagedPassword</maml:name><maml:description><maml:para>Specifies the membership policy for systems which can use a group managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group managed service account object. This parameter should be set to the principals allowed to use this group managed service account. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "Service1" </maml:para><maml:para>Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name (FQDN) </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp.contoso.com" </maml:para><maml:para>The following example shows how to specify a full qualified directory server name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp-DC12.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the Domain Name System (DNS) host name. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>Specifies a new password value for the service account. This value is stored as an encrypted string. </maml:para><maml:para>The following conditions apply based on the manner in which the password parameter is used: </maml:para><maml:para>$null password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>No password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>User password is specified - Password is set and the account is enabled unless it is requested to be disabled, unless the password you provided does not meet password policy or was not set for other reasons, at which point the account is disabled </maml:para><maml:para>The new ADServiceAccount object will always either be disabled or have a user-requested or randomly-generated password. There is no way to create an enabled service account account object with a password that violates domain password policy, such as an empty password. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you to enter the password. </maml:para><maml:para>-AccountPassword (Read-Host -AsSecureString "AccountPassword") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type an administrative account name, such as "Admin1" or "Contoso\Admin1" or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then use it to specify the Credential parameter to the ADServiceAccount object. </maml:para><maml:para>The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Contoso\Admin1" </maml:para><maml:para>The following shows how to use the PSCredential object to specify administrative credentials when creating a new ADServiceAccount object by using the Credential parameter. </maml:para><maml:para>New-ADServiceAccount -Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to include this parameter when creating a new service account. </maml:para><maml:para>New-ADServiceAccount -DisplayName "Service Account for use with Contoso LOB Application" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the service account when creating it. </maml:para><maml:para>New-ADServiceAccount -Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL when creating the service account. </maml:para><maml:para>New-ADServiceAccount -HomePage "http://accounts.contoso.com/Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a service account object to use as a template for a new service account object. </maml:para><maml:para>You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create service account object templates. </maml:para><maml:para>Method 1: Use an existing service account object as a template for a new object. To retrieve an instance of an existing service account object, use a cmdlet such as Get-ADServiceAccount. Then provide this object to the Instance parameter of the New-ADServiceAccount cmdlet to create a new service account object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$serviceAccountInstance = Get-ADServiceAccount -Identity </maml:para><maml:para>New-ADServiceAccount -Name "ServiceAdmin2" -Instance $serviceAccountInstance -Description "Service Account 2" </maml:para><maml:para>Method 2: Create a new ADServiceAccount object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADServiceAccount cmdlet to create the new Active Directory service account object. </maml:para><maml:para>$serviceAccountInstance = new-object Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>$serviceAccountInstance. Description "Service Account 2" </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4,AES128,AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "Service1" </maml:para><maml:para>Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name (FQDN) </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp.contoso.com" </maml:para><maml:para>The following example shows how to specify a full qualified directory server name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp-DC12.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictToSingleComputer</maml:name><maml:description><maml:para>Switch which is used to create a managed service account that can be used only for a single computer. These managed service accounts which are linked to a single computer account were introduced in Windows Server 2008 R2. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type an administrative account name, such as "Admin1" or "Contoso\Admin1" or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then use it to specify the Credential parameter to the ADServiceAccount object. </maml:para><maml:para>The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Contoso\Admin1" </maml:para><maml:para>The following shows how to use the PSCredential object to specify administrative credentials when creating a new ADServiceAccount object by using the Credential parameter. </maml:para><maml:para>New-ADServiceAccount -Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to include this parameter when creating a new service account. </maml:para><maml:para>New-ADServiceAccount -DisplayName "Service Account for use with Contoso LOB Application" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the service account when creating it. </maml:para><maml:para>New-ADServiceAccount -Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL when creating the service account. </maml:para><maml:para>New-ADServiceAccount -HomePage "http://accounts.contoso.com/Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a service account object to use as a template for a new service account object. </maml:para><maml:para>You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create service account object templates. </maml:para><maml:para>Method 1: Use an existing service account object as a template for a new object. To retrieve an instance of an existing service account object, use a cmdlet such as Get-ADServiceAccount. Then provide this object to the Instance parameter of the New-ADServiceAccount cmdlet to create a new service account object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$serviceAccountInstance = Get-ADServiceAccount -Identity </maml:para><maml:para>New-ADServiceAccount -Name "ServiceAdmin2" -Instance $serviceAccountInstance -Description "Service Account 2" </maml:para><maml:para>Method 2: Create a new ADServiceAccount object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADServiceAccount cmdlet to create the new Active Directory service account object. </maml:para><maml:para>$serviceAccountInstance = new-object Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>$serviceAccountInstance. Description "Service Account 2" </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4,AES128,AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "Service1" </maml:para><maml:para>Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name (FQDN) </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp.contoso.com" </maml:para><maml:para>The following example shows how to specify a full qualified directory server name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp-DC12.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictToOutboundAuthenticationOnly</maml:name><maml:description><maml:para>Switch which is used to create a group managed service account which on success can be used by a service for successful outbound authentication requests only. This allows creating a group managed service account without the parameters required for successful inbound authentication. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>Specifies a new password value for the service account. This value is stored as an encrypted string. </maml:para><maml:para>The following conditions apply based on the manner in which the password parameter is used: </maml:para><maml:para>$null password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>No password is specified - Random password is set and the account is enabled unless it is requested to be disabled </maml:para><maml:para>User password is specified - Password is set and the account is enabled unless it is requested to be disabled, unless the password you provided does not meet password policy or was not set for other reasons, at which point the account is disabled </maml:para><maml:para>The new ADServiceAccount object will always either be disabled or have a user-requested or randomly-generated password. There is no way to create an enabled service account account object with a password that violates domain password policy, such as an empty password. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you to enter the password. </maml:para><maml:para>-AccountPassword (Read-Host -AsSecureString "AccountPassword") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue><dev:type><maml:name>SecureString</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADServiceAccount Service1 -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports compound identity. </maml:para><maml:para>-CompoundIdentitySupported $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type an administrative account name, such as "Admin1" or "Contoso\Admin1" or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then use it to specify the Credential parameter to the ADServiceAccount object. </maml:para><maml:para>The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Contoso\Admin1" </maml:para><maml:para>The following shows how to use the PSCredential object to specify administrative credentials when creating a new ADServiceAccount object by using the Credential parameter. </maml:para><maml:para>New-ADServiceAccount -Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the Domain Name System (DNS) host name. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to include this parameter when creating a new service account. </maml:para><maml:para>New-ADServiceAccount -DisplayName "Service Account for use with Contoso LOB Application" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the service account when creating it. </maml:para><maml:para>New-ADServiceAccount -Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL when creating the service account. </maml:para><maml:para>New-ADServiceAccount -HomePage "http://accounts.contoso.com/Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a service account object to use as a template for a new service account object. </maml:para><maml:para>You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create service account object templates. </maml:para><maml:para>Method 1: Use an existing service account object as a template for a new object. To retrieve an instance of an existing service account object, use a cmdlet such as Get-ADServiceAccount. Then provide this object to the Instance parameter of the New-ADServiceAccount cmdlet to create a new service account object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$serviceAccountInstance = Get-ADServiceAccount -Identity </maml:para><maml:para>New-ADServiceAccount -Name "ServiceAdmin2" -Instance $serviceAccountInstance -Description "Service Account 2" </maml:para><maml:para>Method 2: Create a new ADServiceAccount object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADServiceAccount cmdlet to create the new Active Directory service account object. </maml:para><maml:para>$serviceAccountInstance = new-object Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>$serviceAccountInstance. Description "Service Account 2" </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4,AES128,AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADKerberosEncryptionType</command:parameterValue><dev:type><maml:name>ADKerberosEncryptionType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ManagedPasswordIntervalInDays</maml:name><maml:description><maml:para>Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object. </maml:para><maml:para>The following example shows how to specify a 90 day password changes interval: </maml:para><maml:para>-ManagedPasswordIntervalInDays 90 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>30</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "Service1" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToRetrieveManagedPassword</maml:name><maml:description><maml:para>Specifies the membership policy for systems which can use a group managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group managed service account object. This parameter should be set to the principals allowed to use this group managed service account. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictToOutboundAuthenticationOnly</maml:name><maml:description><maml:para>Switch which is used to create a group managed service account which on success can be used by a service for successful outbound authentication requests only. This allows creating a group managed service account without the parameters required for successful inbound authentication. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictToSingleComputer</maml:name><maml:description><maml:para>Switch which is used to create a managed service account that can be used only for a single computer. These managed service accounts which are linked to a single computer account were introduced in Windows Server 2008 R2. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "Service1" </maml:para><maml:para>Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name (FQDN) </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp.contoso.com" </maml:para><maml:para>The following example shows how to specify a full qualified directory server name as the parameter value. </maml:para><maml:para>New-ADServiceAccount -Server "corp-DC12.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object that is a template for the new managed service account object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new managed service account object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet requires that you create a Microsoft Key Distribution Service root key first to begin using group managed service accounts in your Active Directory deployment. For more information on how to create the KDS root key using Windows PowerShell, see <maml:navigationLink><maml:linkText>Create the Key Distribution Services KDS Root Key</maml:linkText><maml:uri></maml:uri></maml:navigationLink> (http://go.microsoft.com/fwlink/?LinkId=253584).</maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADServiceAccount service1 -DNSHostName service1.contoso.com -Enabled $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new enabled managed service account in AD DS. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADServiceAccount service1 -ServicePrincipalNames "MSSQLSVC/Machine3.corp.contoso.com" -DNSHostName service1.contoso.com </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new managed service account and register its service principal name. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADServiceAccount service1 -RestrictToSingleComputer </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new managed service account and restrict its use to only a single computer. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADServiceAccount service1 -RestrictToOutboundAuthenticationOnly </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new managed service account and restrict its use to only outbound authentication. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291076</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Install-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Uninstall-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-ADUser</command:name><maml:description><maml:para>Creates a new Active Directory user.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>ADUser</command:noun><dev:version /></command:details><maml:description><maml:para>The New-ADUser cmdlet creates a new Active Directory user. You can set commonly used user property values by using the cmdlet parameters. </maml:para><maml:para>Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. When using this parameter be sure to place single quotes around the attribute name as in the following example. </maml:para><maml:para>New-ADUser -SamAccountName "glenjohn" -GivenName "Glen" -Surname "John" -DisplayName "Glen John" -Path 'CN=Users,DC=fabrikam,DC=local' -OtherAttributes @{'msDS-PhoneticDisplayName'="GlenJohn"} </maml:para><maml:para>You must specify the SAMAccountName parameter to create a user. </maml:para><maml:para>You can use the New-ADUser cmdlet to create different types of user accounts such as iNetOrgPerson accounts. To do this in AD DS, set the Type parameter to the LDAP display name for the type of account you want to create. This type can be any class in the Active Directory schema that is a subclass of user and that has an object category of person. </maml:para><maml:para>The Path parameter specifies the container or organizational unit (OU) for the new user. When you do not specify the Path parameter, the cmdlet creates a user object in the default container for user objects in the domain. </maml:para><maml:para>The following methods explain different ways to create an object by using this cmdlet. </maml:para><maml:para>Method 1: Use the New-ADUser cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. </maml:para><maml:para>Method 2: Use a template to create the new object. To do this, create a new user object or retrieve a copy of an existing user object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. </maml:para><maml:para>Method 3: Use the Import-CSV cmdlet with the New-ADUser cmdlet to create multiple Active Directory user objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADUser cmdlet to create the user objects. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-ADUser</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>Specifies a new password value for an account. This value is stored as an encrypted string. </maml:para><maml:para>The following conditions apply based on the manner in which the password parameter is used: </maml:para><maml:para>$null password is specified - No password is set and the account is disabled unless it is requested to be enabled </maml:para><maml:para>No password is specified - No password is set and the account is disabled unless it is requested to be enabled </maml:para><maml:para>User password is specified - Password is set and the account is disabled unless it is requested to be enabled </maml:para><maml:para>Notes: </maml:para><maml:para>User accounts, by default, are created without a password. If you provide a password, an attempt will be made to set that password however, this can fail due to password policy restrictions. The user account will still be created and you may use Set-ADAccountPassword to set the password on that account. In order to ensure that accounts remain secure, user accounts will never be enabled unless a valid password is set or PasswordNotRequired is set to true. </maml:para><maml:para>The account is created if the password fails for any reason. </maml:para><maml:para>The following example shows one method to set this parameter. This command will prompt you to enter the password. </maml:para><maml:para>-AccountPassword (Read-Host -AsSecureString "AccountPassword") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">X509Certificate[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Company</maml:name><maml:description><maml:para>Specifies the user's company. This parameter sets the Company property of a user object. The LDAP display name (ldapDisplayName) of this property is "company". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Company "Contoso" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Department</maml:name><maml:description><maml:para>Specifies the user's department. This parameter sets the Department property of a user. The LDAP Display Name (ldapDisplayName) of this property is "department". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Department "Development" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Division</maml:name><maml:description><maml:para>Specifies the user's division. This parameter sets the Division property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "division". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Division "Software" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>EmailAddress</maml:name><maml:description><maml:para>Specifies the user's e-mail address. This parameter sets the EmailAddress property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mail". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmailAddress "saradavis@contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>EmployeeID</maml:name><maml:description><maml:para>Specifies the user's employee ID. This parameter sets the EmployeeID property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeID". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmployeeID "A123456" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>EmployeeNumber</maml:name><maml:description><maml:para>Specifies the user's employee number. This parameter sets the EmployeeNumber property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeNumber". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-EmployeeNumber "12345678" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Fax</maml:name><maml:description><maml:para>Specifies the user's fax phone number. This parameter sets the Fax property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "facsimileTelephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Fax "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>GivenName</maml:name><maml:description><maml:para>Specifies the user's given name. This parameter sets the GivenName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "givenName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-givenName "Sanjay" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomeDirectory</maml:name><maml:description><maml:para>Specifies a user's home directory. This parameter sets the HomeDirectory property of a user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDirectory". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDirectory "\\users\saraDavisHomeDir" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomeDrive</maml:name><maml:description><maml:para>Specifies a drive that is associated with the UNC path defined by the HomeDirectory property. The drive letter is specified as "<DriveLetter>:" where <DriveLetter> indicates the letter of the drive to associate. The <DriveLetter> must be a single, uppercase letter and the colon is required. This parameter sets the HomeDrive property of the user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDrive". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDrive "D:" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePhone</maml:name><maml:description><maml:para>Specifies the user's home telephone number. This parameter sets the HomePhone property of a user. The LDAP Display Name (ldapDisplayName) of this property is "homePhone". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Initials</maml:name><maml:description><maml:para>Specifies the initials that represent part of a user's name. You can use this value for the user's middle initial. This parameter sets the Initials property of a user. The LDAP Display Name (ldapDisplayName) of this property is "initials". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Initials "L" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a user object to use as a template for a new user object. </maml:para><maml:para>You can use an instance of an existing user object as a template or you can construct a new user object for template use. You can construct a new user object using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create user object templates. </maml:para><maml:para>Method 1: Use an existing user object as a template for a new object. To retrieve an instance of an existing user object, use a cmdlet such as Get-ADUser. Then provide this object to the Instance parameter of the New-ADUser cmdlet to create a new user object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$userInstance = Get-ADUser -Identity "saraDavis" </maml:para><maml:para>New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance -DisplayName "EllenAdams" </maml:para><maml:para>Method 2: Create a new ADUser object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADUser cmdlet to create the new Active Directory user object. </maml:para><maml:para>$userInstance = new-object Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>$userInstance.DisplayName = "Ellen Adams" </maml:para><maml:para>New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account resulting the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LogonWorkstations</maml:name><maml:description><maml:para>Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Accounts Manager (SAM) account name (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer. </maml:para><maml:para>The LDAP display name (ldapDisplayName) for this property is "userWorkStations". </maml:para><maml:para>The following example shows how to set this parameter by using SAMAccountName (NetBIOS name) and DNSHostName values. </maml:para><maml:para>-LogonWorkstations "saraDavisDesktop,saraDavisLapTop,projectA.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Manager</maml:name><maml:description><maml:para>Specifies the user's manager. This parameter sets the Manager property of a user. This parameter is set by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The LDAP Display Name (ldapDisplayName) of this property is "manager". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Manager saradavis </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MobilePhone</maml:name><maml:description><maml:para>Specifies the user's mobile phone number. This parameter sets the MobilePhone property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mobile". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MobilePhone "+1 (999 ) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Office</maml:name><maml:description><maml:para>Specifies the location of the user's office or place of business. This parameter sets the Office property of a user object. The LDAP display name (ldapDisplayName) of this property is "office". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Office "D1042" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OfficePhone</maml:name><maml:description><maml:para>Specifies the user's office telephone number. This parameter sets the OfficePhone property of a user object. The LDAP display name (ldapDisplayName) of this property is "telephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OfficePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Organization</maml:name><maml:description><maml:para>Specifies the user's organization. This parameter sets the Organization property of a user object. The LDAP display name (ldapDisplayName) of this property is "o". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Organization "Accounting" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OtherName</maml:name><maml:description><maml:para>Specifies a name in addition to a user's given name and surname, such as the user's middle name. This parameter sets the OtherName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "middleName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OtherName "Peter" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. A password is not required for a new account. This parameter sets the PasswordNotRequired property of an account object. </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>POBox</maml:name><maml:description><maml:para>Specifies the user's post office box number. This parameter sets the POBox property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "postOfficeBox". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-POBox "25662" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProfilePath</maml:name><maml:description><maml:para>Specifies a path to the user's profile. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ProfilePath property of the user object. The LDAP display name (ldapDisplayName) for this property is "profilePath". </maml:para><maml:para>The following examples show how to set this parameter to a local path and to a UNC path. -ProfilePath "E:\users\profiles\saraDavis" </maml:para><maml:para>-ProfilePath "\\users\profiles\saraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ScriptPath</maml:name><maml:description><maml:para>Specifies a path to the user's log on script. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ScriptPath property of the user. The LDAP display name (ldapDisplayName) for this property is "scriptPath". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ScriptPath "\\logonScripts\saradavisLogin" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SmartcardLogonRequired</maml:name><maml:description><maml:para>Specifies whether a smart card is required to logon. This parameter sets the SmartCardLoginRequired property for a user. This parameter also sets the ADS_UF_SMARTCARD_REQUIRED flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that a smart card is required to logon to the account. </maml:para><maml:para>-SmartCardLogonRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the user's street address. This parameter sets the StreetAddress property of a user object. The LDAP display name (ldapDisplayName) of this property is "streetAddress". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Surname</maml:name><maml:description><maml:para>Specifies the user's last name or surname. This parameter sets the Surname property of a user object. The LDAP display name (ldapDisplayName) of this property is "sn". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Surname "Patel" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies the user's title. This parameter sets the Title property of a user object. The LDAP display name (ldapDisplayName) of this property is "title". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Title "Manager" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Type</maml:name><maml:description><maml:para>Specifies the type of object to create. Set the Type parameter to the LDAP display name of the Active Directory Schema Class that represents the type of object that you want to create. The selected type must be a subclass of the User schema class. If this parameter is not specified it will default to "User". </maml:para><maml:para>The following example shows how to use this parameter to create a new Active Directory InetOrgPerson object. </maml:para><maml:para>-Type "InetOrgPerson" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AccountPassword</maml:name><maml:description><maml:para>Specifies a new password value for an account. This value is stored as an encrypted string. </maml:para><maml:para>The following conditions apply based on the manner in which the password parameter is used: </maml:para><maml:para>$null password is specified - No password is set and the account is disabled unless it is requested to be enabled </maml:para><maml:para>No password is specified - No password is set and the account is disabled unless it is requested to be enabled </maml:para><maml:para>User password is specified - Password is set and the account is disabled unless it is requested to be enabled </maml:para><maml:para>Notes: </maml:para><maml:para>User accounts, by default, are created without a password. If you provide a password, an attempt will be made to set that password however, this can fail due to password policy restrictions. The user account will still be created and you may use Set-ADAccountPassword to set the password on that account. In order to ensure that accounts remain secure, user accounts will never be enabled unless a valid password is set or PasswordNotRequired is set to true. </maml:para><maml:para>The account is created if the password fails for any reason. </maml:para><maml:para>The following example shows one method to set this parameter. This command will prompt you to enter the password. </maml:para><maml:para>-AccountPassword (Read-Host -AsSecureString "AccountPassword") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue><dev:type><maml:name>SecureString</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">X509Certificate[]</command:parameterValue><dev:type><maml:name>X509Certificate[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Company</maml:name><maml:description><maml:para>Specifies the user's company. This parameter sets the Company property of a user object. The LDAP display name (ldapDisplayName) of this property is "company". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Company "Contoso" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Department</maml:name><maml:description><maml:para>Specifies the user's department. This parameter sets the Department property of a user. The LDAP Display Name (ldapDisplayName) of this property is "department". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Department "Development" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Division</maml:name><maml:description><maml:para>Specifies the user's division. This parameter sets the Division property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "division". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Division "Software" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>EmailAddress</maml:name><maml:description><maml:para>Specifies the user's e-mail address. This parameter sets the EmailAddress property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mail". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmailAddress "saradavis@contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>EmployeeID</maml:name><maml:description><maml:para>Specifies the user's employee ID. This parameter sets the EmployeeID property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeID". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmployeeID "A123456" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>EmployeeNumber</maml:name><maml:description><maml:para>Specifies the user's employee number. This parameter sets the EmployeeNumber property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeNumber". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-EmployeeNumber "12345678" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Fax</maml:name><maml:description><maml:para>Specifies the user's fax phone number. This parameter sets the Fax property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "facsimileTelephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Fax "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>GivenName</maml:name><maml:description><maml:para>Specifies the user's given name. This parameter sets the GivenName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "givenName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-givenName "Sanjay" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomeDirectory</maml:name><maml:description><maml:para>Specifies a user's home directory. This parameter sets the HomeDirectory property of a user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDirectory". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDirectory "\\users\saraDavisHomeDir" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomeDrive</maml:name><maml:description><maml:para>Specifies a drive that is associated with the UNC path defined by the HomeDirectory property. The drive letter is specified as "<DriveLetter>:" where <DriveLetter> indicates the letter of the drive to associate. The <DriveLetter> must be a single, uppercase letter and the colon is required. This parameter sets the HomeDrive property of the user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDrive". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDrive "D:" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>HomePhone</maml:name><maml:description><maml:para>Specifies the user's home telephone number. This parameter sets the HomePhone property of a user. The LDAP Display Name (ldapDisplayName) of this property is "homePhone". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Initials</maml:name><maml:description><maml:para>Specifies the initials that represent part of a user's name. You can use this value for the user's middle initial. This parameter sets the Initials property of a user. The LDAP Display Name (ldapDisplayName) of this property is "initials". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Initials "L" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a user object to use as a template for a new user object. </maml:para><maml:para>You can use an instance of an existing user object as a template or you can construct a new user object for template use. You can construct a new user object using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create user object templates. </maml:para><maml:para>Method 1: Use an existing user object as a template for a new object. To retrieve an instance of an existing user object, use a cmdlet such as Get-ADUser. Then provide this object to the Instance parameter of the New-ADUser cmdlet to create a new user object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$userInstance = Get-ADUser -Identity "saraDavis" </maml:para><maml:para>New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance -DisplayName "EllenAdams" </maml:para><maml:para>Method 2: Create a new ADUser object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADUser cmdlet to create the new Active Directory user object. </maml:para><maml:para>$userInstance = new-object Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>$userInstance.DisplayName = "Ellen Adams" </maml:para><maml:para>New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account resulting the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADKerberosEncryptionType</command:parameterValue><dev:type><maml:name>ADKerberosEncryptionType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>LogonWorkstations</maml:name><maml:description><maml:para>Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Accounts Manager (SAM) account name (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer. </maml:para><maml:para>The LDAP display name (ldapDisplayName) for this property is "userWorkStations". </maml:para><maml:para>The following example shows how to set this parameter by using SAMAccountName (NetBIOS name) and DNSHostName values. </maml:para><maml:para>-LogonWorkstations "saraDavisDesktop,saraDavisLapTop,projectA.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Manager</maml:name><maml:description><maml:para>Specifies the user's manager. This parameter sets the Manager property of a user. This parameter is set by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The LDAP Display Name (ldapDisplayName) of this property is "manager". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Manager saradavis </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>MobilePhone</maml:name><maml:description><maml:para>Specifies the user's mobile phone number. This parameter sets the MobilePhone property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mobile". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MobilePhone "+1 (999 ) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""><maml:name>Name</maml:name><maml:description><maml:para>Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-Name "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Office</maml:name><maml:description><maml:para>Specifies the location of the user's office or place of business. This parameter sets the Office property of a user object. The LDAP display name (ldapDisplayName) of this property is "office". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Office "D1042" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OfficePhone</maml:name><maml:description><maml:para>Specifies the user's office telephone number. This parameter sets the OfficePhone property of a user object. The LDAP display name (ldapDisplayName) of this property is "telephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OfficePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Organization</maml:name><maml:description><maml:para>Specifies the user's organization. This parameter sets the Organization property of a user object. The LDAP display name (ldapDisplayName) of this property is "o". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Organization "Accounting" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherAttributes</maml:name><maml:description><maml:para>Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema. </maml:para><maml:para>Syntax: </maml:para><maml:para>To specify a single value for an attribute: </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value} </maml:para><maml:para>To specify multiple values for an attribute </maml:para><maml:para>-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...} </maml:para><maml:para>You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes: </maml:para><maml:para>-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...} </maml:para><maml:para>The following examples show how to use this parameter. </maml:para><maml:para>To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"} </maml:para><maml:para>To set values for favColors and dateOfBirth simultaneously, use the following syntax: </maml:para><maml:para>-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>OtherName</maml:name><maml:description><maml:para>Specifies a name in addition to a user's given name and surname, such as the user's middle name. This parameter sets the OtherName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "middleName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OtherName "Peter" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>POBox</maml:name><maml:description><maml:para>Specifies the user's post office box number. This parameter sets the POBox property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "postOfficeBox". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-POBox "25662" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. A password is not required for a new account. This parameter sets the PasswordNotRequired property of an account object. </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Path</maml:name><maml:description><maml:para>Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. </maml:para><maml:para>In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Path will be set in the following cases: </maml:para><maml:para>- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive. </maml:para><maml:para>- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Path parameter will not take any default value. </maml:para><maml:para>The following example shows how to set this parameter to an OU. </maml:para><maml:para>-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com" </maml:para><maml:para>Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ProfilePath</maml:name><maml:description><maml:para>Specifies a path to the user's profile. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ProfilePath property of the user object. The LDAP display name (ldapDisplayName) for this property is "profilePath". </maml:para><maml:para>The following examples show how to set this parameter to a local path and to a UNC path. -ProfilePath "E:\users\profiles\saraDavis" </maml:para><maml:para>-ProfilePath "\\users\profiles\saraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ScriptPath</maml:name><maml:description><maml:para>Specifies a path to the user's log on script. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ScriptPath property of the user. The LDAP display name (ldapDisplayName) for this property is "scriptPath". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ScriptPath "\\logonScripts\saradavisLogin" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>SmartcardLogonRequired</maml:name><maml:description><maml:para>Specifies whether a smart card is required to logon. This parameter sets the SmartCardLoginRequired property for a user. This parameter also sets the ADS_UF_SMARTCARD_REQUIRED flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that a smart card is required to logon to the account. </maml:para><maml:para>-SmartCardLogonRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the user's street address. This parameter sets the StreetAddress property of a user object. The LDAP display name (ldapDisplayName) of this property is "streetAddress". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Surname</maml:name><maml:description><maml:para>Specifies the user's last name or surname. This parameter sets the Surname property of a user object. The LDAP display name (ldapDisplayName) of this property is "sn". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Surname "Patel" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies the user's title. This parameter sets the Title property of a user object. The LDAP display name (ldapDisplayName) of this property is "title". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Title "Manager" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>Type</maml:name><maml:description><maml:para>Specifies the type of object to create. Set the Type parameter to the LDAP display name of the Active Directory Schema Class that represents the type of object that you want to create. The selected type must be a subclass of the User schema class. If this parameter is not specified it will default to "User". </maml:para><maml:para>The following example shows how to use this parameter to create a new Active Directory InetOrgPerson object. </maml:para><maml:para>-Type "InetOrgPerson" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue>user</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A user object that is a template for the new user object is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the new user object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADUser GlenJohn -Certificate (new-object System.Security.Cryptography.X509Certificates.X509Certificate -ArgumentList "export.cer") </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new user named 'GlenJohn' with a certicate imported from the file "export.cer". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADUser GlenJohn -OtherAttributes @{title="director";mail="glenjohn@fabrikam.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new user named 'GlenJohn' and set the title and mail properties on the new object. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADUser GlenJohn -Type iNetOrgPerson -Path "DC=AppNC" -server lds.Fabrikam.com:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Create a new inetOrgPerson named 'GlenJohn' on an AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291077</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADUser</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADAuthenticationPolicy</command:name><maml:description><maml:para>Removes an Active Directory Domain Services authentication policy object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADAuthenticationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADAuthenticationPolicy cmdlet removes an Active Directory® Domain Services authentication policy. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy to remove. You can identify an authentication policy by its distinguished name (DN), GUID or name. You can also use the Identity parameter to specify a variable that contains an authentication policy object, or you can use the pipeline operator to pass an authentication policy object to the Identity parameter.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADAuthenticationPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an authentication policy object.</maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Remove an authentication policy by specifying a name</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Remove-ADAuthenticationPolicy -Identity AuthenticationPolicy01 </dev:code><dev:remarks><maml:para>This command removes the authentication policy specified by the Identity parameter.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Remove multiple authentication policies </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -Filter 'Enforce -eq $false' | Remove-ADAuthenticationPolicy </dev:code><dev:remarks><maml:para>This command uses the Get-ADAuthenticationPolicy cmdlet with the Filter parameter to get all authentication policies that are not enforced. The pipeline operator then passes the result of the filter to the Remove-ADAuthenticationPolicy cmdlet. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=296766</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADAuthenticationPolicySilo</command:name><maml:description><maml:para>Removes an Active Directory Domain Services authentication policy silo object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADAuthenticationPolicySilo</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADAuthenticationPolicySilo cmdlet removes an Active Directory® Domain Services authentication policy silo object. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy silo to remove. You can identify an authentication policy silo by its distinguished name (DN), GUID or name. You can also use the Identity parameter to specify a variable that contains an authentication policy silo object, or you can use the pipeline operator to pass an authentication policy silo object to the Identity parameter.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADAuthenticationPolicySilo</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicySilo</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an authentication policy silo object. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Remove an authentication policy silo object</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Remove-ADAuthenticationPolicySilo -Identity AuthenticationPolicySilo01 </dev:code><dev:remarks><maml:para>This command removes the authentication policy silo object named AuthenticationPolicySilo01.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Remove all authentication policy silo objects that match a filter</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Enforce -eq $False' | Remove-ADAuthenticationPolicySilo </dev:code><dev:remarks><maml:para>This command uses the Get-ADAuthenticationPolicySilo cmdlet with the Filter parameter to get all authentication policy silos that are not enforced. The pipeline operator then passes the result of the filter to the Remove-ADAuthenticationPolicySilo cmdlet. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 3: Remove all matching authentication policy silos without confirmation</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Enforce -eq $False' | Remove-ADAuthenticationPolicySilo -Confirm:$False </dev:code><dev:remarks><maml:para>This command uses the Get-ADAuthenticationPolicySilo cmdlet with the Filter parameter to get all authentication policy silos that are not enforced. The pipeline operator then passes the result of the filter to the Remove-ADAuthenticationPolicySilo cmdlet. However, because the Confirm parameter is set to $False, no confirmation messages appear. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=296768</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADCentralAccessPolicy</command:name><maml:description><maml:para>Removes a central access policy from Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADCentralAccessPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADCentralAccessPolicy cmdlet can be used to remove a central access policy from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADCentralAccessPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADCentralAccessPolicy "Finance Policy" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the central access policy named "Finance Policy". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy -Filter 'Name -Like "Finance*"' | Remove-ADCentralAccessPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all resource property lists whose name starts with 'Finance' and then remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291078</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADCentralAccessPolicyMember</command:name><maml:description><maml:para>Removes central access rules from a central access policy in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADCentralAccessPolicyMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADCentralAccessPolicyMember cmdlet removes central access rules from a central access policy in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADCentralAccessPolicyMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of central access rule (CAR) objects in a comma-separated list to add to a central access policy (CAP). </maml:para><maml:para>To identify each object, use one of the following property values. (Note: The identifier in parentheses is the LDAP display name.) </maml:para><maml:para>Name </maml:para><maml:para>Example: Finance Documents Rule </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two CARs to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Corporate Documents Rule" </maml:para><maml:para>This example specifies two CARs that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $carObject, $carObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADCentralAccessRule[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of central access rule (CAR) objects in a comma-separated list to add to a central access policy (CAP). </maml:para><maml:para>To identify each object, use one of the following property values. (Note: The identifier in parentheses is the LDAP display name.) </maml:para><maml:para>Name </maml:para><maml:para>Example: Finance Documents Rule </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two CARs to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Corporate Documents Rule" </maml:para><maml:para>This example specifies two CARs that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $carObject, $carObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADCentralAccessRule[]</command:parameterValue><dev:type><maml:name>ADCentralAccessRule[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADCentralAccessPolicy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified ADCentralAccessPolicy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADCentralAccessPolicyMember "Finance Policy" -Members "Finance Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the resource property named 'Finance Documents Rule' from the central access policy named 'Finance Policy'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADCentralAccessPolicyMember "Finance Policy" "Finance Documents Rule","Corporate Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the central access rules named 'Finance Documents Rule' and 'Corporate Documents Rule' from the central access policy 'Finance Policy'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy -Filter { Name -like "Corporate*" } | Remove-ADCentralAccessPolicyMember "Finance Documents Rule","Corporate Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the central access policies that begin with "Corporate" in its name, and then pipes that result to the Remove-ADCentralAccessPolicyMember, which then removes the central access rules named 'Finance Documents Rule' and 'Corporate Documents Rule' from the policies. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291079</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADCentralAccessRule</command:name><maml:description><maml:para>Removes a central access rule from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADCentralAccessRule</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADCentralAccessRule cmdlet can be used to remove a central access rule from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADCentralAccessRule</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue><dev:type><maml:name>ADCentralAccessRule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicyEntry</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADCentralAccessRule "Finance Documents Rule" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the specified central access rule ("Finance Documents Rule"). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessRule -Filter { ResourceCondition -like "*Department*" } | Remove-ADCentralAccessRule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the central access rules with 'Department' in their resource conditions. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291080</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADClaimTransformPolicy</command:name><maml:description><maml:para>Removes a claim transformation policy object from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADClaimTransformPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADClaimTransformPolicy cmdlet can be used to remove a claim transformation policy object from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration, </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration, </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A claim transform policy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADClaimTransformPolicy DenyAllPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the claims transformation policy with the name 'DenyAllPolicy'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimTransformPolicy -Filter {Description -eq "For testing only."} | Remove-ADClaimTransformPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets all claims transformation policies that were marked in their description as "For testing only" and removes them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291081</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADClaimType</command:name><maml:description><maml:para>Removes a claim type from Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADClaimType</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADClaimType cmdlet can be used to remove a claim type from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Employee Type,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>Allows the cmdlet to remove objects that cannot otherwise be changed due to some attribute validation failure. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Force</maml:name><maml:description><maml:para>Allows the cmdlet to remove objects that cannot otherwise be changed due to some attribute validation failure. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Employee Type,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADClaimType Title </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the claim type with the name 'Title'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADClaimType -Filter { Enabled -eq $FALSE } | Remove-ADClaimType </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the disabled claim types and remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291082</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADComputer</command:name><maml:description><maml:para>Removes an Active Directory computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADComputer</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADComputer cmdlet removes an Active Directory computer. </maml:para><maml:para>The Identity parameter specifies the Active Directory computer to remove. You can identify a computer by its distinguished name Members (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to a computer object variable, such as $<localComputerObject>, or you can pass a computer object through the pipeline to the Identity parameter. For example, you can use the Get-ADComputer cmdlet to retrieve a computer object and then pass the object through the pipeline to the Remove-ADComputer cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADComputer</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADComputer -Identity "FABRIKAM-SRV4" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove one particular computer. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer -Filter 'Location -eq "NA/HQ/Building A"' | Remove-ADComputer Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "CN=LabServer-01,CN=Computers,DC=Fabrikam,DC=com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): a </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove all computers in a given location. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer -Filter 'Location -eq "NA/HQ/Building A"' | Remove-ADComputer -confirm:$false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove all computers from a given location and disables the confirm prompt. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADComputer "FABRIKAM-SRV4" | Remove-ADObject -Recursive </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove a computer and all leaf objects that are located underneath it in the directory. (Note that only a few computer objects create child objects, such as servers running the Clustering service. This example can be useful for removing those objects and any child objects owned by and associated with them.) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291083</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADComputer</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADComputerServiceAccount</command:name><maml:description><maml:para>Removes one or more service accounts from a computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADComputerServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADComputerServiceAccount cmdlet removes service accounts from an Active Directory computer. </maml:para><maml:para>The Computer parameter specifies the Active Directory computer that contains the service accounts to remove. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Computer parameter to a computer object variable, such as $<localComputerobject>, or pass a computer object through the pipeline to the Computer parameter. For example, you can use the Get-ADComputer cmdlet to retrieve a computer object and then pass the object through the pipeline to the Remove-ADComputerServiceAccount cmdlet. </maml:para><maml:para>The ServiceAccount parameter specifies the service accounts to remove. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also specify service account object variables, such as $<localServiceAccountObject>. If you are specifying more than one service account, use a comma-separated list. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADComputerServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Computer"><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>ServiceAccount</maml:name><maml:description><maml:para>Specifies one or more Active Directory service accounts. You can identify a service account by using one of the following property values: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=serviceadmin,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: serviceadmin </maml:para><maml:para>The following example shows how to specify a service account for this parameter using the SAM Account Name. </maml:para><maml:para>-ServiceAccount "serviceAdminEurope" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADServiceAccount[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases="Computer"><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>ServiceAccount</maml:name><maml:description><maml:para>Specifies one or more Active Directory service accounts. You can identify a service account by using one of the following property values: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=serviceadmin,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: serviceadmin </maml:para><maml:para>The following example shows how to specify a service account for this parameter using the SAM Account Name. </maml:para><maml:para>-ServiceAccount "serviceAdminEurope" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADServiceAccount[]</command:parameterValue><dev:type><maml:name>ADServiceAccount[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object is received by the Computer parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns an object that represents the modified computer object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove a service account 'SvcAcct1' from a Computer Account 'ComputerAcct1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1,SvcAcct2 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove service accounts: 'SvcAcct1,SvcAcct2' from a Computer Account: 'ComputerAcct1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291084</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADDomainControllerPasswordReplicationPolicy</command:name><maml:description><maml:para>Removes users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADDomainControllerPasswordReplicationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADDomainControllerPasswordReplicationPolicy cmdlet removes one or more users, computers and groups from the allowed or denied list of a read-only domain controller (RODC) password replication policy. </maml:para><maml:para>The Identity parameter specifies the RODC that uses the allowed and denied lists to apply the password replication policy. You can identify a domain controller by its GUID, IPV4Address, global IPV6Address, or DNS host name. You can also identify a domain controller by the name of the server object that represents the domain controller, the Distinguished Name (DN) of the NTDS settings object or the server object, the GUID of the NTDS settings object or the server object under the configuration partition, or the DN of the computer object that represents the domain controller. You can also set the Identity parameter to a domain controller object variable, such as $<localDomainControllerobject>, or pass a domain controller object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomainController cmdlet to retrieve a domain controller object and then pass the object through the pipeline to the Remove-ADDomainControllerPasswordReplicationPolicy cmdlet. You must provide a read-only domain controller. </maml:para><maml:para>The AllowedList parameters specify the users, computers and groups to remove from the allowed list. Similarly, the DeniedList parameter specifies the users, computers and groups to remove from the denied list. You must specify either one or both of the AllowedList and DeniedList parameters. You can identify a user, computer or group by distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also specify user, computer or group variables, such as $<localUserObject>. If you are specifying more than one item, use a comma-separated list. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADDomainControllerPasswordReplicationPolicy</maml:name><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A read-only domain controller (RODC) object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomainController</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified read-only domain controller object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -AllowedList "JesperAaberg", "AdrianaAdams" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the users with samAccountNames 'JesperAaberg' and'AdrianaAdams' from the Allowed list on the RODC 'FABRIKAM-RODC1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -DeniedList "MichaelAllen", "ElizabethAndersen" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the users with samAccountNames 'MichaelAllen' and 'ElizabethAndersen' from the Denied list on the RODC 'FABRIKAM-RODC1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291085</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomainController</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomainControllerPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADFineGrainedPasswordPolicy</command:name><maml:description><maml:para>Removes an Active Directory fine grained password policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADFineGrainedPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADFineGrainedPasswordPolicy cmdlet removes an Active Directory fine grained password policy. </maml:para><maml:para>The Identity parameter specifies the Active Directory fine grained password policy to remove. You can identify a fine grained password policy by its distinguished name, or GUID. You can also set the Identity parameter to a fine grained password object variable, such as $<localFineGrainedPasswordPolicyObject>, or you can pass a fine grained password policy object through the pipeline to the Identity parameter. For example, you can use the Get-ADFineGrainedPasswordPolicy cmdlet to retrieve a fine grained password policy object and then pass the object through the pipeline to the Remove-ADFineGrainedPasswordPolicy cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine grained password policy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADFineGrainedPasswordPolicy MyPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the Fine Grained Password Policy object named 'MyPolicy'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADFineGrainedPasswordPolicy -Identity 'CN=MyPolicy,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the Fine Grained Password Policy object with DistinguishedName 'CN=MyPolicy,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicy -Filter {Name -like "*user*"} | Remove-ADFineGrainedPasswordPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove all File Grained Password Policy objects that contain user in their names. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291086</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADFineGrainedPasswordPolicySubject</command:name><maml:description><maml:para>Removes one or more users from a fine grained password policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADFineGrainedPasswordPolicySubject</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADFineGrainedPasswordPolicySubject cmdlet removes one or more global security groups and users from a fine grained password policy. </maml:para><maml:para>The Identity parameter specifies the fine grained password policy. You can identify a fine grained password policy by its distinguished name or GUID. You can also set the Identity parameter to a fine grained password policy object variable, such as $<localFineGrainedPasswordPolicyObject>, or pass a fine grained password policy object through the pipeline to the Identity parameter. For example, you can use the Get-ADFineGrainedPasswordPolicy cmdlet to retrieve a fine grained password policy object and then pass the object through the pipeline to the Remove-ADFineGrainedPasswordPolicySubject cmdlet. </maml:para><maml:para>The Subjects parameter specifies the users and groups to remove from the password policy. You can identify a user or group by its distinguished name (DN), GUID, security identifier (SID), security accounts manager (SAM) account name, or canonical name. You can also specify user or group object variables, such as $<localUserObject>. If you are specifying more than one user or group, use a comma-separated list. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADFineGrainedPasswordPolicySubject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="2" aliases=""><maml:name>Subjects</maml:name><maml:description><maml:para>Specifies one or more users or groups. To specify more than one user or group, use a comma-separated list. You can identify a user or group by one of the following property values. </maml:para><maml:para>Distinguished Name (DN) </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following example shows how to set this parameter to a list of users and groups by using a distinguished name and SAM account names. </maml:para><maml:para>-Subjects "CN=SaraDavis, CN=Users,DC=corp,DC=contoso,DC=com","donhall","saradavisreports" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue)" position="2" aliases=""><maml:name>Subjects</maml:name><maml:description><maml:para>Specifies one or more users or groups. To specify more than one user or group, use a comma-separated list. You can identify a user or group by one of the following property values. </maml:para><maml:para>Distinguished Name (DN) </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following example shows how to set this parameter to a list of users and groups by using a distinguished name and SAM account names. </maml:para><maml:para>-Subjects "CN=SaraDavis, CN=Users,DC=corp,DC=contoso,DC=com","donhall","saradavisreports" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine grained password policy object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns an object that represents the modified fine grained password policy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO -Subjects BobKe,KimAb </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the Fine-Grained Password Policy named 'DlgtdAdminsPSO' from two users, with SamAccountNames 'BobKe' and 'KimAb'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO | where {$_.Name -like "*Price"} | Remove-ADFineGrainedPasswordPolicySubject DlgtdAdminsPSO </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove any subjects that have names ending with 'Price' from the name list on which the Fine-Grained Password Policy named DlgtdAdminsPSO applies. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291087</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicySubject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADGroup</command:name><maml:description><maml:para>Removes an Active Directory group.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADGroup</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADGroup cmdlet removes an Active Directory group object. You can use this cmdlet to remove security and distribution groups. </maml:para><maml:para>The Identity parameter specifies the Active Directory group to remove. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name, or canonical name. You can also set the Identity parameter to an object variable such as $<localADGroupObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to retrieve a group object and then pass the object through the pipeline to the Remove-ADGroup cmdlet. </maml:para><maml:para>If the ADGroup is being identified by its DN, the Partition parameter will be automatically determined. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>- The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>- A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADGroup</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>remove-adgroup SanjaysReports Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "CN=SanjayReports,DC=Fabrikam,DC=com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the group that has samAccountName 'SanjaysReports'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -filter 'Name -like "Sanjay*"' | remove-adgroup Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "CN=SanjaysReports,DC=Fabrikam,DC=com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all groups whose name starts with 'Sanjay' and then remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291088</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADGroup</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADGroupMember</command:name><maml:description><maml:para>Removes one or more members from an Active Directory group.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADGroupMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADGroupMember cmdlet removes one or more users, groups, service accounts, or computers from an Active Directory group. </maml:para><maml:para>The Identity parameter specifies the Active Directory group that contains the members to remove. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also specify a group object variable, such as $<localGroupObject>, or pass a group object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to retrieve a group object and then pass the object through the pipeline to the Remove-ADGroupMember cmdlet. </maml:para><maml:para>The Members parameter specifies the users, computers and groups to remove from the group specified by the Identity parameter. You can identify a user, computer or group by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also specify user, computer, and group object variables, such as $<localUserObject>. If you are specifying more than one new member, use a comma-separated list. You cannot pass user, computer, or group objects through the pipeline to this cmdlet. To remove user, computer, or group objects from a group by using the pipeline, use the Remove-ADPrincipalGroupMembership cmdlet. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADGroupMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of users, groups, and computers to remove from a group. You can identify users, groups, and computers by specifying one of the following values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies a user and group to remove by specifying the distinguished name and the SAM Account Name property values. </maml:para><maml:para>-Members "CN=SaraDavis,CN=employees,CN=Users,DC=contoso,DC=com", "saradavisreports" </maml:para><maml:para>This example specifies a user and a group object that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $userObject, $groupObject </maml:para><maml:para>The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of users, groups, and computers to remove from a group. You can identify users, groups, and computers by specifying one of the following values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies a user and group to remove by specifying the distinguished name and the SAM Account Name property values. </maml:para><maml:para>-Members "CN=SaraDavis,CN=employees,CN=Users,DC=contoso,DC=com", "saradavisreports" </maml:para><maml:para>This example specifies a user and a group object that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $userObject, $groupObject </maml:para><maml:para>The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>remove-adgroupmember -Identity "DocumentReaders" -Member "WilsonPais" Confirm Are you sure you want to perform this action? Performing operation "Set" on Target "CN=DocumentReaders,CN=Users,DC=Fabrikam,DC=com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the user with samAccountName 'WilsonPais' from the group 'DocumentReaders'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>remove-adgroupmember "DocumentReaders" "administrator","Wilson Pais" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the users with samAccountNames 'administrator' and 'WilsonPais' from the group 'DocumentReaders'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -server localhost:60000 "CN=AccessControl,DC=AppNC" | remove-adgroupmember -member "CN=GlenJohns,DC=AppNC" Confirm Are you sure you want to perform this action? Performing operation "Set" on Target "CN=AccessControl,DC=AppNC". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the user with DistinguishedName 'CN=GlenJohns,DC=AppNC' from the AccessControl group on an AD LDS instance using the pipeline. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291089</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADObject</command:name><maml:description><maml:para>Removes an Active Directory object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADObject cmdlet removes an Active Directory object. You can use this cmdlet to remove any type of Active Directory object. </maml:para><maml:para>The Identity parameter specifies the Active Directory object to remove. You can identify an object by its distinguished name (DN) or GUID. You can also set the Identity parameter to an Active Directory object variable, such as $<localObject>, or pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADObject cmdlet to retrieve an object and then pass the object through the pipeline to the Remove-ADObject cmdlet. </maml:para><maml:para>If the object you specify to remove has child objects, you must specify the Recursive parameter. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except when: - Using a DN to identify objects: the partition will be auto-generated from the DN. - Running cmdlets from an Active Directory provider drive: the current path will be used to set the partition. - A default naming context or partition is specified. </maml:para><maml:para>To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Recursive</maml:name><maml:description><maml:para>Specifies that the cmdlet should remove the object and any children it contains. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Recursive </maml:para><maml:para>Note: Specifying this parameter it will remove all child objects even if there are objects marked with ProtectedFromAccidentalDeletion. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>IncludeDeletedObjects</maml:name><maml:description><maml:para>Specifies to retrieve deleted objects and the deactivated forward and backward links. When this parameter is specified, the cmdlet uses the following LDAP controls: </maml:para><maml:para>Show Deleted Objects (1.2.840.113556.1.4.417) </maml:para><maml:para>Show Deactivated Links (1.2.840.113556.1.4.2065) </maml:para><maml:para>Note: If this parameter is not specified, the cmdlet will not return or operate on deleted objects. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Recursive</maml:name><maml:description><maml:para>Specifies that the cmdlet should remove the object and any children it contains. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Recursive </maml:para><maml:para>Note: Specifying this parameter it will remove all child objects even if there are objects marked with ProtectedFromAccidentalDeletion. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work when connected to a Global Catalog port. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADObject 'CN=AmyAl-LPTOP,CN=Computers,DC=FABRIKAM,DC=COM' Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "CN=AmyAl-LPTOP,CN=Computers,DC=FABRIKAM,DC=COM". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the object identified by the DistinguishedName 'CN=AmyAl-LPTOP,CN=Computers,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADObject "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" -Recursive Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Deletes the container with DistinguishedName 'OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM' including the child objects. Note: All the children of the container including the ones which are protected from accidental deletion are also deleted. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADObject "65511e76-ea80-45e1-bc93-08a78d8c4853" -Confirm:$false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the object with objectGUID '65511e76-ea80-45e1-bc93-08a78d8c4853' without giving the confirmation prompt. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADObject -Identity "CN=InternalApps,DC=AppNC" -server "FABRIKAM-SRV1:60000" Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "CN=InternalApps,DC=AppNC". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>removes the object with DistinguishedName 'CN=InternalApps,DC=AppNC' from an LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -Filter 'isDeleted -eq $true -and -not (isRecycled -eq $true) -and name -ne "Deleted Objects" -and lastKnownParent -eq "OU=Accounting,DC=Fabrikam,DC=com"' -IncludeDeletedObjects | Remove-ADObject </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Recycles all the objects in the recycle bin which used to be in the container 'OU=Accounting,DC=Fabrikam,DC=com'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291090</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADOrganizationalUnit</command:name><maml:description><maml:para>Removes an Active Directory organizational unit.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADOrganizationalUnit</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADOrganizationalUnit cmdlet removes an Active Directory organizational unit. </maml:para><maml:para>The Identity parameter specifies the organizational unit to remove. You can identify an organizational unit by its distinguished name (DN) or GUID. You can also set the parameter to an organizational unit object variable, such as $<localOrganizationUnitObject> or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADOrganizationalUnit cmdlet to retrieve the object and then pass the object through the pipeline to the Remove-ADOrganizationalUnit cmdlet. </maml:para><maml:para>If the object you specify to remove has child objects, you must specify the Recursive parameter. </maml:para><maml:para>If the ProtectedFromAccidentalDeletion property of the organizational unit object is set to true, the cmdlet returns a terminating error. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADOrganizationalUnit</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies the identity of an Active Directory organizational unit object. The parameter accepts the following identity formats. The identifier in parentheses is the LDAP display name for the attribute that contains the identity. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an organizational unit object instance named "OUinstance". </maml:para><maml:para>-Identity $OUInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Recursive</maml:name><maml:description><maml:para>Specifies that the cmdlet remove the organizational unit and any child items it contains. You must specify this parameter to remove an organizational unit (OU) that is not empty. </maml:para><maml:para>Note: Specifying this parameter it will remove all child objects under an OU that has been marked with ProtectedFromAccidentalDeletion. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Recursive </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies the identity of an Active Directory organizational unit object. The parameter accepts the following identity formats. The identifier in parentheses is the LDAP display name for the attribute that contains the identity. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an organizational unit object instance named "OUinstance". </maml:para><maml:para>-Identity $OUInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue><dev:type><maml:name>ADOrganizationalUnit</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Recursive</maml:name><maml:description><maml:para>Specifies that the cmdlet remove the organizational unit and any child items it contains. You must specify this parameter to remove an organizational unit (OU) that is not empty. </maml:para><maml:para>Note: Specifying this parameter it will remove all child objects under an OU that has been marked with ProtectedFromAccidentalDeletion. </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-Recursive </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An organizational unit object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADOrganizationalUnit -Identity "OU=Accounting,DC=FABRIKAM,DC=COM" -Recursive Are you sure you want to remove the item and all its children? Performing recursive remove on Target: 'OU=Accounting,DC=Fabrikam,DC=com'. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):y </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes an OrganizationalUnit and all of it's children. If the OrganizationalUnit is protected from deletion, then the OrganizationalUnit and it's children will not be deleted. If the OrganizationalUnit is not protected but any of the children are, then both the OrganizationalUnit and the children will be deleted. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADOrganizationalUnit -Identity "1b228aa5-2c14-48b8-ad8a-2685dc22e055" -confirm:$false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes an OrganizationalUnit using it's objectGUID as the Identity while suppressing the confirmation prompt. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADOrganizationalUnit -Identity "OU=Accounting,DC=FABRIKAM,DC=COM" Confirm Are you sure you want to perform this action? Performing operation "Remove" on Target "OU=Accounting,DC=Fabrikam,DC=com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):y </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the Accounting OrganizationalUnit. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADOrganizationalUnit -Identity "OU=Managed,DC=AppNC" -server "FABRIKAM-SRV1:60000" -confirm:$false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes an OrganizationalUnit from an LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291091</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADPrincipalGroupMembership</command:name><maml:description><maml:para>Removes a member from one or more Active Directory groups. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADPrincipalGroupMembership</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADPrincipalGroupMembership cmdlet removes a user, group, computer, service account, or any other account object from one or more Active Directory groups. </maml:para><maml:para>The Identity parameter specifies the user, group, or computer to remove. You can identify the user, group, or computer by its distinguished name (DN), GUID, security identifier (SID) or SAM account name. You can also specify a user, group, or computer object variable, such as $<localGroupObject>, or pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Remove-ADPrincipalGroupMembership cmdlet. Similarly, you can use Get-ADGroup or Get-ADComputer to get group, service account and computer objects to pass through the pipeline. </maml:para><maml:para>This cmdlet collects all of the user, computer, service account and group objects from the pipeline, and then removes these objects from the specified group by using one Active Directory operation. </maml:para><maml:para>The MemberOf parameter specifies the groups that you want to remove the member from. You can identify a group by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify group object variable, such as $<localGroupObject>. To specify more than one group, use a comma-separated list. You cannot pass group objects through the pipeline to the MemberOf parameter. To remove a member from groups that are passed through the pipeline, use the Remove-ADGroupMember cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADPrincipalGroupMembership</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a principal object instance named "principalInstance". </maml:para><maml:para>-Identity $principalInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>MemberOf</maml:name><maml:description><maml:para>Specifies the Active Directory groups to add a user, computer, or group to as a member. You can identify a group by providing one of the following values. Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,CN=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>If you are specifying more than one group, use commas to separate the groups in the list. </maml:para><maml:para>The following example shows how to specify this parameter by using SAM account name values. </maml:para><maml:para>-MemberOf "SaraDavisGroup", "JohnSmithGroup" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADGroup[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>- Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a principal object instance named "principalInstance". </maml:para><maml:para>-Identity $principalInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>MemberOf</maml:name><maml:description><maml:para>Specifies the Active Directory groups to add a user, computer, or group to as a member. You can identify a group by providing one of the following values. Note: The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,CN=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>If you are specifying more than one group, use commas to separate the groups in the list. </maml:para><maml:para>The following example shows how to specify this parameter by using SAM account name values. </maml:para><maml:para>-MemberOf "SaraDavisGroup", "JohnSmithGroup" </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADGroup[]</command:parameterValue><dev:type><maml:name>ADGroup[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A principal object that represents user, computer, or group is received by the Identity parameter. Derived types, such as the following are also received by this parameter. </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADPrincipal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns a principal object that represents the modified user, computer or group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADPrincipalGroupMembership -Identity "Wilson Pais" -MemberOf "Administrators" Remove members from group Do you want to remove all the specified member(s) from the specified group(s)? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the user 'Wilson Pais' from the administrators group. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-aduser -server localhost:60000 -Identity "CN=GlenJohns,DC=AppNC" | remove-adprincipalgroupmembership -memberof "CN=AccessControl,DC=AppNC" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Retrieve the user with DistinguishedName 'CN=GlenJohns,DC=AppNC' and remove it from the group with the DistinguishedName 'CN=AccessControl,DC=AppNC' using the pipeline. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291092</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADReplicationSite</command:name><maml:description><maml:para>Deletes the specified replication site object from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADReplicationSite</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADReplicationSite deletes a specified replication site object from Active Directory. If domain controllers are no longer needed in a network location, you can remove them from a site and then delete the site object. Before deleting the site, you must remove all domain controllers from the site either by removing them entirely or by moving them to a new location. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADReplicationSite</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADReplicationSite Europe </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the site with name 'Europe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSite -Filter {Description -eq "For testing only."} | Remove-ADReplicationSite </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the sites that are for testing only and remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291093</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADReplicationSiteLink</command:name><maml:description><maml:para>Deletes an Active Directory site link used to manage replication.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADReplicationSiteLink</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADReplicationSiteLink cmdlet removes a site link object used to manage replication traffic between two sites in your Active Directory installation. For more information on site links, see the following topic "Creating a Site Link Design" in the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=221870 </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADReplicationSiteLink</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-SouthAmerica,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-SouthAmerica,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue><dev:type><maml:name>ADReplicationSiteLink</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADReplicationSiteLink "Europe-Asia" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the site link with the name 'Europe-Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink -Filter {SitesIncluded -eq "NorthAmerica"} | Remove-ADReplicationSiteLink </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the site links that include NorthAmerica and remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291094</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADReplicationSiteLinkBridge</command:name><maml:description><maml:para>Deletes the specified replication site link bridge from Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADReplicationSiteLinkBridge</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADReplicationSiteLinkBridge object deletes the specified replication site link bridge from Active Directory. A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADReplicationSiteLinkBridge</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-Asia,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-Asia,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue><dev:type><maml:name>ADReplicationSiteLinkBridge</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link bridge object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADReplicationSiteLinkBridge "NorthAmerica-Asia" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the site link bridge with name 'NorthAmerica-Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLinkBridge -Filter {SiteLinksIncluded -eq "Europe-Asia"} | Remove-ADReplicationSiteLinkBridge </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the site link bridges that include 'Europe-Asia' and remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291095</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADReplicationSubnet</command:name><maml:description><maml:para>Deletes the specified Active Directory replication subnet object from the directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADReplicationSubnet</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADReplicationSubnet cmdlet deletes the specified Active Directory replication subnet object from the directory. Subnet objects (class subnet) define network subnets in Active Directory. A network subnet is a segment of a TCP/IP network to which a set of logical IP addresses is assigned. Subnets group computers in a way that identifies their physical proximity on the network. Subnet objects in Active Directory are used to map computers to sites. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADReplicationSubnet</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=10.0.0.0/25,CN=Subnets,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=10.0.0.0/25,CN=Subnets,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue><dev:type><maml:name>ADReplicationSubnet</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A subnet object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADReplicationSubnet "10.0.0.0/25" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the site link with name '10.0.0.0/25'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSubnet -Filter {Location -like "*Japan"} | Remove-ADReplicationSubnet </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the subnets in Japan and remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291096</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADResourceProperty</command:name><maml:description><maml:para>Removes a resource property from Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADResourceProperty</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADResourceProperty cmdlet removes a resource property from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADResourceProperty</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the resource property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the resource property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue><dev:type><maml:name>ADResourceProperty</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADResourceProperty "Country" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the specified resource property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291097</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADResourcePropertyList</command:name><maml:description><maml:para>Removes one or more resource property lists from Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADResourcePropertyList</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADResourcePropertyList cmdlet removes one or more claim lists from Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADResourcePropertyList</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the resource property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the resource property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADResourcePropertyList "Corporate Resource Property List" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the resource property list named 'Corporate Resource Property List'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList -Filter 'Name -Like "Branch*"' | Remove-ADResourcePropertyList </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all resource property lists whose name starts with 'Branch' and then remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291098</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADResourcePropertyListMember</command:name><maml:description><maml:para>Removes one or more resource properties from a resource property list in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADResourcePropertyListMember</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADResourcePropertyListMember cmdlet can be used to remove one or more resource properties from a resource property list in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADResourcePropertyListMember</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of ADResourceProperty objects in a comma-separated list to add to a resource property list. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Name </maml:para><maml:para>Example: Country </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two resource properties to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Authors" </maml:para><maml:para>This example specifies two resource property object that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $rpObject1, $rpObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADResourceProperty[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Members</maml:name><maml:description><maml:para>Specifies a set of ADResourceProperty objects in a comma-separated list to add to a resource property list. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name. </maml:para><maml:para>Name </maml:para><maml:para>Example: Country </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>You can also provide objects to this parameter directly. </maml:para><maml:para>The following examples show how to specify this parameter. </maml:para><maml:para>This example specifies two resource properties to add by specifying the distinguished name and the name properties. </maml:para><maml:para>-Members "CN=Country,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com", "Authors" </maml:para><maml:para>This example specifies two resource property object that are defined in the current Windows PowerShell session as input for the parameter. </maml:para><maml:para>-Members $rpObject1, $rpObject2 </maml:para><maml:para>You cannot pass objects through the pipeline to this parameter. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADResourceProperty[]</command:parameterValue><dev:type><maml:name>ADResourceProperty[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An ADResourcePropertyList object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourcePropertyList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified ADResourcePropertyList object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADResourcePropertyListMember "Global Resource Property List" -Members Country </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the resource property specified as a list member ("Country") from the specified resource property list ("Global Resource Property List"). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADResourcePropertyListMember "Corporate Resource Property List" Department,Country </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the resource properties named 'Department' and 'Country' from the resource property list ("Corporate Resource Property List"). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList -Filter { Name -like "Corporate*" } | Remove-ADResourcePropertyListMember Department,Country </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the resource property lists that have a name that begins with "Corporate" and then pipes it to Remove-ADResourcePropertyListMember, which then removes the resource properties with the name 'Department' and 'Country' from it. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291099</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADServiceAccount</command:name><maml:description><maml:para>Remove an Active Directory managed service account or group managed service account object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADServiceAccount cmdlet removes an Active Directory managed service account (MSA). This cmdlet does not make changes to any computers that use the MSA. After this operation, the MSA no longer exists in the directory, but computers will still be configured to use the MSA. </maml:para><maml:para>The Identity parameter specifies the Active Directory MSA to remove. You can identify a MSA by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also set the Identity parameter to a MSA object variable, such as $<localSerivceAccountObject>, or you can pass a MSA object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a MSA object and then pass the object through the pipeline to the Remove-ADServiceAccount cmdlet. </maml:para><maml:para>Note: Removing the service account is a different operation than uninstalling the service account locally. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADServiceAccount -Identity SQL-SRV1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the managed service account named 'service1'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADServiceAccount -Filter {Name -like 'SQL*'} | Remove-ADServiceAccount </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove all managed service accounts with names that start with 'SQL'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291100</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Install-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Uninstall-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Remove-ADUser</command:name><maml:description><maml:para>Removes an Active Directory user.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Remove</command:verb><command:noun>ADUser</command:noun><dev:version /></command:details><maml:description><maml:para>The Remove-ADUser cmdlet removes an Active Directory user. </maml:para><maml:para>The Identity parameter specifies the Active Directory user to remove. You can identify a user by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also set the Identity parameter to a user object variable, such as $<localUserObject>, or you can pass a user object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Remove-ADUser cmdlet. </maml:para><maml:para>If the ADUser is being identified by its DN, the Partition parameter will be automatically determined. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Remove-ADUser</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A user object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>By default, this cmdlet has the -Confirm parameter set, which prompts you to confirm before a removal of the specified object type can occur. To bypass prompting for confirmation before removal, you can specify -Confirm:$false when using this cmdlet. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADUser -Identity GlenJohn </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the user with samAccountName 'GlenJohn'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountDisabled | where {$_.ObjectClass -eq 'user'} | Remove-ADUser </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Search for any users that have disabled accounts and remove them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Remove-ADUser -Identity "CN=Glen John,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Remove the user with DistinguishedName 'CN=Glen John,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser "cn=glenjohn,dc=appnc" -Server Lds.Fabrikam.com:50000 | Remove-ADUser </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the user with DistinguishedName 'cn=glenjohn,dc=appnc' from the AD LDS instance and remove it. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291101</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADUser</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Rename-ADObject</command:name><maml:description><maml:para>Changes the name of an Active Directory object. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Rename</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Rename-ADObject cmdlet renames an Active Directory object. This cmdlet sets the Name property of an Active Directory object that has an LDAP Display Name (ldapDisplayName) of "name". To modify the given name, surname and other name of a user, use the Set-ADUser cmdlet. To modify the Security Accounts Manager (SAM) account name of a user, computer, or group, use the Set-ADUser, Set-ADComputer or Set-ADGroup cmdlet. </maml:para><maml:para>The Identity parameter specifies the object to rename. You can identify an object or container by its distinguished name (DN) or GUID. You can also set the Identity parameter to an object variable such as $<localObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADObject cmdlet to retrieve an object and then pass the object through the pipeline to the Rename-ADObject cmdlet. You can also use the Get-ADGroup, Get-ADUser, Get-ADComputer, Get-ADServiceAccount, Get-ADOrganizationalUnit and Get-ADFineGrainedPasswordPolicy cmdlets to get an object that you can pass through the pipeline to this cmdlet. </maml:para><maml:para>The NewName parameter defines the new name for the object and must be specified. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Rename-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>NewName</maml:name><maml:description><maml:para>Specifies the new name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-NewName "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>NewName</maml:name><maml:description><maml:para>Specifies the new name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-NewName "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Rename-ADObject -Identity "CN=HQ,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM" -NewName UnitedKingdomHQ </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Rename the name of an existing site 'HQ' to the new name 'UnitedKingdomHQ'. If the distinguished name is provided in the -Identity parameter, then the -Partition parameter is not required. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Rename-ADObject -Identity "4777c8e8-cd29-4699-91e8-c507705a0966" -NewName "AmsterdamHQ" -Partition "CN=Configuration,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Rename the object with objectGUID '4777c8e8-cd29-4699-91e8-c507705a096'6 to 'SiteNewName'. Note -Partition parameter is required because the Naming Context of the site object is not known from the GUID provided to the -Identity parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Rename-ADObject "OU=ManagedGroups,OU=Managed,DC=Fabrikam,DC=Com" -NewName Groups </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Rename the object with the DistinguisehdName 'OU=ManagedGroups,OU=Managed,DC=Fabrikam,DC=Com' to 'Groups'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Rename-ADObject -Identity "4777c8e8-cd29-4699-91e8-c507705a0966" -NewName "DavidAhs" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Rename the object with objectGUID '4777c8e8-cd29-4699-91e8-c507705a0966' to 'DavidAhs'. Note that the -Partition parameter is not specified because the object is in the Default Naming Context of the domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Rename-ADObject "CN=Apps,DC=AppNC" -NewName "InternalApps" -server "FABRIKAM-SRV1:60000" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Rename the container 'CN=Apps,DC=AppNC' to 'InternalApps' in an LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291102</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Move-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Restore-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText></maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Reset-ADServiceAccountPassword</command:name><maml:description><maml:para>Resets the password for a standalone managed service account. Reset is not supported for group managed service accounts.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Reset</command:verb><command:noun>ADServiceAccountPassword</command:noun><dev:version /></command:details><maml:description><maml:para>The Reset-ADServiceAccountPassword cmdlet resets the password for the standalone managed service account (MSA) on the local computer. This cmdlet needs to be run on the computer where the standalone MSA is installed. </maml:para><maml:para>The Identity parameter specifies the Active Directory standalone MSA that receives the password reset. You can identify a MSA by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to a MSA object variable, such as $<localServiceAccountObject>, or pass a MSA object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a standalone MSA object and then pass the object through the pipeline to the Reset-ADServiceAccountPassword cmdlet. </maml:para><maml:para>Note: When you reset the password for a computer, you also reset all of the standalone MSA passwords for that computer. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Reset-ADServiceAccountPassword</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Reset-ADServiceAccountPassword ServiceAccount1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Reset the password on the standalone managed service account 'ServiceAccount1' </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291103</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Restore-ADObject</command:name><maml:description><maml:para>Restores an Active Directory object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Restore</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Restore-ADObject cmdlet restores a deleted Active Directory object. </maml:para><maml:para>The NewName parameter specifies the new name for the restored object. If the NewName parameter is not specified, the value of the Active Directory attribute with an LDAP display name of "msDS-lastKnownRDN" is used. The TargetPath parameter specifies the new location for the restored object. If the TargetPath is not specified, the value of the Active Directory attribute with an LDAP display name of "lastKnownParent" is used. </maml:para><maml:para>The Identity parameter specifies the Active Directory object to restore. You can identify an object by its distinguished name (DN) or GUID. You can also set the Identity parameter to an object variable such as $<localObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADObject cmdlet to retrieve a deleted object by specifying the IncludeDeletedObjects parameter. You can then pass the object through the pipeline to the Restore-ADObject cmdlet. </maml:para><maml:para>Note: You can get the distinguished names of deleted objects by using the Get-ADObject cmdlet with the -IncludedeDeletedObjects parameter specified. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Restore-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>NewName</maml:name><maml:description><maml:para>Specifies the new name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-NewName "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TargetPath</maml:name><maml:description><maml:para>Specifies the new location for the object. This location must be the path to a container or organizational unit. </maml:para><maml:para>The following example shows how to specify a target path by providing the distinguished name. </maml:para><maml:para>-TargetPath "ou=sales,dc=corp,dc=contoso,dc=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>NewName</maml:name><maml:description><maml:para>Specifies the new name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name". </maml:para><maml:para>The following example shows how to set this parameter to a name string. </maml:para><maml:para>-NewName "SaraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TargetPath</maml:name><maml:description><maml:para>Specifies the new location for the object. This location must be the path to a container or organizational unit. </maml:para><maml:para>The following example shows how to specify a target path by providing the distinguished name. </maml:para><maml:para>-TargetPath "ou=sales,dc=corp,dc=contoso,dc=com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the restored object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Restore-ADObject -Identity "613dc90a-2afd-49fb-8bd8-eac48c6ab59f" -NewName "Kim Abercrombie" -TargetPath "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Restores the ADObject while setting the 'msDS-LastKnownRDN' attribute of the deleted object to -NewName parameter and setting the 'lastKnownRDN' to the -TargetPath parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Restore-ADObject -Identity "CN=Kim Abercrombie\0ADEL:613dc90a-2afd-49fb-8bd8-eac48c6ab59f,CN=Deleted Objects,DC=FABRIKAM,DC=COM" -NewName "Kim Abercrombie" -TargetPath "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Restores the ADObject while setting the 'msDS-LastKnownRDN' attribute of the deleted object to -NewName parameter and setting the 'lastKnownRDN' to the -TargetPath parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -Filter 'samaccountname -eq "kimabercrombie"' -IncludeDeletedObjects | Restore-ADObject </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Find a deleted user whose samaccountname is kimabercrombie, and restore it. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Restore-ADObject -Identity '6bb3bfe9-4355-48ee-b3b6-4fda6917d31d' -Server server1:50000 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Restore an AD-LDS object using ObjectGUID. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADObject -Filter 'msds-lastknownrdn -eq "user1"' -Server server1:50000 -IncludeDeletedObjects -SearchBase "o=app1,c=us" | Restore-ADObject </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Restore an AD-LDS object using msds-LastKnownRDN. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291104</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Move-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Rename-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText></maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Revoke-ADAuthenticationPolicySiloAccess</command:name><maml:description><maml:para>Revokes membership in an authentication policy silo for the specified account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Revoke</command:verb><command:noun>ADAuthenticationPolicySiloAccess</command:noun><dev:version /></command:details><maml:description><maml:para>The Revoke-ADAuthenticationPolicySiloAccess cmdlet revokes the membership in an authentication policy silo for one or more accounts in Active Directory® Domain Services. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy silo that contains the user accounts to remove. You can identify an authentication policy silo by its distinguished name (DN), GUID or name. You can also use the Identity parameter to specify a variable that contains an authentication policy silo object, or you can use the pipeline operator to pass an authentication policy object to the Identity parameter. </maml:para><maml:para>The Account parameter specifies the users, computers and service accounts to remove from the authentication policy silo specified by the Identity parameter. You can identify a user, computer or service account by its DN, GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also use the Account parameter to specify a variable that contains user, computer, and service account objects.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Revoke-ADAuthenticationPolicySiloAccess</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an ADAuthenticationPolicySilo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Account</maml:name><maml:description><maml:para>Specifies the account to remove from the authentication policy silo. Specify the account in one of the following formats: -- Distinguished Name -- GUID -- Security Identifier -- SAM Account Name </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>You can also use this parameter to specify a variable that contains user, computer, and service account objects.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Account</maml:name><maml:description><maml:para>Specifies the account to remove from the authentication policy silo. Specify the account in one of the following formats: -- Distinguished Name -- GUID -- Security Identifier -- SAM Account Name </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>You can also use this parameter to specify a variable that contains user, computer, and service account objects.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an ADAuthenticationPolicySilo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicySilo</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an authentication policy silo object. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicySilo</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet returns the modified authentication policy silo object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Revoke access to an authentication policy silo</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Revoke-ADAuthenticationPolicySiloAccess –Identity AuthenticationPolicySilo01 –Account User01 –Confirm:$False </dev:code><dev:remarks><maml:para>This command revokes access to the authentication policy silo named AuthenticationPolicySilo01 for the user account named User01. Because the Confirm parameter is set to $False, no confirmation message appears.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Revoke access to an authentication policy silo for filter matches</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADComputer -Filter 'Name -like "newComputer*"' | Revoke-ADAuthenticationPolicySiloAccess -Identity AuthenticationPolicySilo02 Confirm Are you sure you want to perform this action? Performing the operation "Set" on target "CN=Silo,CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=DC01,DC=Contoso,DC=com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A </dev:code><dev:remarks><maml:para>This example first uses the Get-ADComputer cmdlet to get a list of computers that match the filter specified by the Filter parameter. The output is then passed to the Revoke-ADAuthenticationPolicySiloAccess to remove access to the authentication policy silo named AuthenticationPolicySilo02. Because the Confirm parameter is not specified, a confirmation message appears.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=296772</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Grant-ADAuthenticationPolicySiloAccess</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Search-ADAccount</command:name><maml:description><maml:para>Gets Active Directory user, computer, or service accounts.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Search</command:verb><command:noun>ADAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Search-ADAccount cmdlet retrieves one or more user, computer, or service accounts that meet the criteria specified by the parameters. Search criteria include account and password status. For example, you can search for all accounts that have expired by specifying the AccountExpired parameter. Similarly, you can search for all accounts with an expired password by specifying the PasswordExpired parameter. You can limit the search to user accounts by specifying the UsersOnly parameter. Similarly, when you specify the ComputersOnly parameter, the cmdlet only retrieves computer accounts. </maml:para><maml:para>Some search parameters, such as AccountExpiring and AccountInactive use a default time that you can change by specifying the DateTime or TimeSpan parameter. The DateTime parameter specifies a distinct time. The TimeSpan parameter specifies a time range from the current time. For example, to search for all accounts that expire in 10 days, specify the AccountExpiring and TimeSpan parameter and set the value of TimeSpan to "10.00:00:00". To search for all accounts that expire before December 31, 2012, set the DateTime parameter to "12/31/2012". </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Search-ADAccount</maml:name></command:syntaxItem></command:syntax><command:parameters></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more account objects that meet the conditions set by the parameters. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountDisabled | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Guest user krbtgt user krbtgt_51399 user AmyAl-LPTOP computer DeepakAn-DSKTOP computer </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all users, computers and service accounts that are disabled. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Guest user krbtgt user krbtgt_51399 user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all users that are disabled. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountExpired | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Greg Chapman user Claus Hansen user Tomasz Bochenek user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all users, computers and service accounts that are expired. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountExpiring -TimeSpan 6.00:00:00 | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Iulian Calinov user John Campbell user Garth Fort user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all users, computers and service accounts that will expire in the next 6 days. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | FT Name,ObjectClass -A Name ObjectClass ---- ----------- FABRIKAM-RODC1 computer Guest user krbtgt user krbtgt_51399 user Almudena Benito user Aaron Con user Adina Hagege user Aaron Nicholls user Aaron M. Painter user Jeff Phillips user Flemming Pedersen use </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all accounts that have been inactive for the last 90 days. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -PasswordExpired | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Stan Orme user Danni Ortman user Matej Potokar user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all accounts where the password has expired. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 7 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Guest user Toni Poe user Anders Riis user Fabien Hernoux user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all accounts with a password that will never expire. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 8 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -LockedOut | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Toni Poe user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all accounts that have been locked out. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 9 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountDisabled -ComputersOnly | FT Name,ObjectClass -A Name ObjectClass ---- ----------- TPOE-PC1 computer </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all disabled computer accounts. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 10 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-ADAccount -AccountExpiring -DateTime "3/18/2009" | FT Name,ObjectClass -A Name ObjectClass ---- ----------- Anders Riis user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all accounts which expire on the 18th of March, 2009. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 11 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Search-AdAccount -AccountDisabled -SearchBase "DC=AppNC" -Server "FABRIKAM-SRV1:60000" Enabled : False Name : SanjayPatel UserPrincipalName : PasswordNeverExpires : LockedOut : False ObjectGUID : d671de28-6e40-42a7-b32c-63d336de296d ObjectClass : user SID : S-1-510474493-936115905-2231798853-1260534229-4171027843-767619944 PasswordExpired : False LastLogonDate : DistinguishedName : CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC AccountExpirationDate : </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all users, computers and service accounts that are disabled in the LDS instance: "FABRIKAM-SRV1:60000". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291105</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Clear-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Disable-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Enable-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAccountResultantPasswordReplicationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountControl</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountPassword</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Unlock-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADAccountAuthenticationPolicySilo</command:name><maml:description><maml:para>Modifies the authentication policy or authentication policy silo of an account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADAccountAuthenticationPolicySilo</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADAccountAuthenticationPolicySilo cmdlet modifies the authentication policy or authentication policy silo of an account. This cmdlet assigns authentication policy silo objects and authentication policy object to an Active Directory Domain Services account. In order for the account to belong to an authentication policy silo, you must use the Grant-ADAuthenticationPolicySiloAccess cmdlet to grant access to the object.</maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy to modify. You can identify an authentication policy by its distinguished name (DN), GUID or name. You can also use the Identity parameter to specify a variable that contains an authentication policy object, or you can use the pipeline operator to pass an authentication policy object to the Identity parameter.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADAccountAuthenticationPolicySilo</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services object. Specify the Active Directory Domain Services object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services object. Specify the Active Directory Domain Services object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Assign an authentication policy silo and authentication policy </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Set-ADAccountAuthenticationPolicySilo -Identity User01 -AuthenticationPolicySilo AuthenticationPolicySilo01 –AuthenticationPolicy AuthenticationPolicy01 </dev:code><dev:remarks><maml:para>This example assigns the authentication policy silo named AuthenticationPolicySilo01 and the authentication policy named AuthenticationPolicy01 to the user account named User01.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Assign an authentication policy silo and authentication policy by using a filter </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADComputer –Filter 'Name –like "newComputer*"' | Set-ADAccountAuthenticationPolicySilo –AuthenticationPolicySilo AuthenticationPolicySilo02 –AuthenticationPolicy AuthenticationPolicy02 </dev:code><dev:remarks><maml:para>This example first uses the Get-ADComputer cmdlet to get all computer accounts that match the filter specified by the Filter parameter. The output of this command is passed to Set-ADAccountAuthenticatinPolicySilo to assign the authentication policy silo named AuthenticationPolicySilo02 and the authentication policy named AuthenticationPolicy02 to them. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=313379</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Grant-ADAuthenticationPolicySiloAccess</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADAccountControl</command:name><maml:description><maml:para>Modifies user account control (UAC) values for an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADAccountControl</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADAccountControl cmdlet modifies the user account control (UAC) values for an Active Directory user or computer account. UAC values are represented by cmdlet parameters. For example, set the PasswordExpired parameter to change whether an account is expired and to modify the ADS_UF_PASSWORD_EXPIRED UAC value. </maml:para><maml:para>The Identity parameter specifies the Active Directory account to modify. </maml:para><maml:para>You can identify an account by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localADAccountObject>, or you can pass an account object through the pipeline to the Identity parameter. For example, you can use the Search-ADAccount cmdlet to retrieve an account object and then pass the object through the pipeline to the Set-ADAccountControl cmdlet. Similarly, you can use Get-ADUser, Get-ADComputer or Get-ADServiceAccount cmdlets to retrieve account objects that you can pass through the pipeline to this cmdlet. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADAccountControl</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Modifies the ability of an account to change its password. To disallow password change by the account set this to $true.. This parameter changes the Boolean value of the CannotChangePassword property of an account. </maml:para><maml:para>The following example shows how to specify the PasswordCannotChange parameter. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DoesNotRequirePreAuth</maml:name><maml:description><maml:para>Specifies whether Kerberos pre-authentication is required to logon using the user or computer account. This parameter sets the ADS_UF_DONT_REQUIRE_PREAUTH flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that Kerberos pre-authentication is required to logon to the account. </maml:para><maml:para>-DoesNotRequirePreAuth $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomedirRequired</maml:name><maml:description><maml:para>Specifies whether a home directory is required for the account. This parameter sets the ADS_UF_HOMEDIR_REQUIRED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that a home directory is not required for the account. </maml:para><maml:para>-HomedirRequired $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MNSLogonAccount</maml:name><maml:description><maml:para>Specifies whether the account is a Majority Node Set (MNS) logon account. This parameter also sets the ADS_UF_MNS_LOGON_ACCOUNT flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>You can use MNS logon accounts to configure a multi-node cluster without using a shared disk drive. </maml:para><maml:para>The following example shows how to set this parameter to identify this account as an MNS account. </maml:para><maml:para>-MSNLogonAccount $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedToAuthForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is enabled for delegation. When this parameter is set to true, a service running under such an account can impersonate a client on other remote servers on the network. This parameter sets the ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account is enabled for delegation. </maml:para><maml:para>-TrustedToAuthForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UseDESKeyOnly</maml:name><maml:description><maml:para>Specifies whether an account is restricted to use only Data Encryption Standard (DES) encryption types for keys. This parameter sets the </maml:para><maml:para>ADS_UF_USE_DES_KEY_ONLY flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that an account must use DES encryption types for keys. </maml:para><maml:para>-UseDESKeyOnly $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Modifies the ability of an account to change its password. To disallow password change by the account set this to $true.. This parameter changes the Boolean value of the CannotChangePassword property of an account. </maml:para><maml:para>The following example shows how to specify the PasswordCannotChange parameter. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DoesNotRequirePreAuth</maml:name><maml:description><maml:para>Specifies whether Kerberos pre-authentication is required to logon using the user or computer account. This parameter sets the ADS_UF_DONT_REQUIRE_PREAUTH flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that Kerberos pre-authentication is required to logon to the account. </maml:para><maml:para>-DoesNotRequirePreAuth $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomedirRequired</maml:name><maml:description><maml:para>Specifies whether a home directory is required for the account. This parameter sets the ADS_UF_HOMEDIR_REQUIRED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that a home directory is not required for the account. </maml:para><maml:para>-HomedirRequired $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MNSLogonAccount</maml:name><maml:description><maml:para>Specifies whether the account is a Majority Node Set (MNS) logon account. This parameter also sets the ADS_UF_MNS_LOGON_ACCOUNT flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>You can use MNS logon accounts to configure a multi-node cluster without using a shared disk drive. </maml:para><maml:para>The following example shows how to set this parameter to identify this account as an MNS account. </maml:para><maml:para>-MSNLogonAccount $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedToAuthForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is enabled for delegation. When this parameter is set to true, a service running under such an account can impersonate a client on other remote servers on the network. This parameter sets the ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account is enabled for delegation. </maml:para><maml:para>-TrustedToAuthForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UseDESKeyOnly</maml:name><maml:description><maml:para>Specifies whether an account is restricted to use only Data Encryption Standard (DES) encryption types for keys. This parameter sets the </maml:para><maml:para>ADS_UF_USE_DES_KEY_ONLY flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that an account must use DES encryption types for keys. </maml:para><maml:para>-UseDESKeyOnly $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work when connected to Global Catalog port. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl JimmyBi -PasswordNotRequired $false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the flag on userAccountControl to make sure that a password is required for logon. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl 'CN=Jimmy Bischoff,OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM' -CannotChangePassword $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the security descriptor of the user to make sure they cannot change their own password. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl SQLAdmin1 -AccountNotDelegated $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the flag on userAccountControl to make sure that the account cannot be delegated. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl 'CN=IIS01 SvcAccount,OU=ServiceAccounts,OU=Managed,DC=FABRIKAM,DC=COM' -TrustedToAuthForDelegation $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the flag on userAccountControl to make sure that the account is now trusted to authenticate for delegation. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl -Identity "FABRIKAM-SRV1" -TrustedForDelegation $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>The specified computer is now set to be trusted for delegation. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl DickBe -PasswordNeverExpires $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the password of the user to never expire. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 7 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountControl 'CN=Dick Beekman,OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM' -HomedirRequired $true </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the user account to require a Home Directory. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291106</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADAccountExpiration</command:name><maml:description><maml:para>Sets the expiration date for an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADAccountExpiration</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADAccountExpiration cmdlet sets the expiration time for a user, computer or service account. To specify an exact time, use the DateTime parameter. To specify a time period from the current time, use the TimeSpan parameter. </maml:para><maml:para>The Identity parameter specifies the Active Directory account to modify. </maml:para><maml:para>You can identify an account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localADAccountObject>, or you can pass an account object through the pipeline to the Identity parameter. For example, you can use the Search-ADAccount cmdlet to retrieve an account object and then pass the object through the pipeline to the Set-ADAccountExpiration cmdlet. Similarly, you can use Get-ADUser, Get-ADComputer or Get-ADServiceAccount cmdlets to retrieve account objects that you can pass through the pipeline to this cmdlet. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADAccountExpiration</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>DateTime</maml:name><maml:description><maml:para>Species the expiration time for the account by using a DateTime value. The following examples show commonly-used syntax to specify a DateTime value. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2000-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set the DateTime parameter to June 18, 2012 at 2:00:00 AM. </maml:para><maml:para>-DateTime "6/18/2012 2:00:00 AM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TimeSpan</maml:name><maml:description><maml:para>Specifies a time interval that begins at the current time. The account expires at the end of the time interval. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: </maml:para><maml:para>-10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-TimeSpan "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-TimeSpan "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-TimeSpan "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-TimeSpan "0:0:45" </maml:para><maml:para>For example, to set an account to expire in 10 days, specify the TimeSpan parameter as follows. </maml:para><maml:para>-TimeSpan "10" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>DateTime</maml:name><maml:description><maml:para>Species the expiration time for the account by using a DateTime value. The following examples show commonly-used syntax to specify a DateTime value. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2000-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set the DateTime parameter to June 18, 2012 at 2:00:00 AM. </maml:para><maml:para>-DateTime "6/18/2012 2:00:00 AM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TimeSpan</maml:name><maml:description><maml:para>Specifies a time interval that begins at the current time. The account expires at the end of the time interval. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: </maml:para><maml:para>-10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-TimeSpan "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-TimeSpan "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-TimeSpan "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-TimeSpan "0:0:45" </maml:para><maml:para>For example, to set an account to expire in 10 days, specify the TimeSpan parameter as follows. </maml:para><maml:para>-TimeSpan "10" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountExpiration KarenBe -DateTime "10/18/2008" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the account with SamAccountName: KarenBe to expire on the 18th of October, 2008. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADGroupMember BO1Accounts | where {$_.objectClass -eq "user"} | Set-ADAccountExpiration -timespan 60.0:0 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the expiration date of all the user accounts who are a member of the group: BO1Accounts to 60 days from now. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291107</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Clear-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADAccountPassword</command:name><maml:description><maml:para>Modifies the password of an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADAccountPassword</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADAccountPassword cmdlet sets the password for a user, computer or service account. </maml:para><maml:para>The Identity parameter specifies the Active Directory account to modify. </maml:para><maml:para>You can identify an account by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localADAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Search-ADAccount cmdlet to retrieve an account object and then pass the object through the pipeline to the Set-ADAccountPassword cmdlet. Similarly, you can use Get-ADUser, Get-ADComputer or Get-ADServiceAccount, for standalone MSAs, cmdlets to retrieve account objects that you can pass through the pipeline to this cmdlet. </maml:para><maml:para>Note: Group MSAs cannot set password since they are changed at predetermined intervals. </maml:para><maml:para>You must set the OldPassword and the NewPassword parameters to set the password unless you specify the Reset parameter. When you specify the Reset parameter, the password is set to the NewPassword value that you provide and the OldPassword parameter is not required. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADAccountPassword</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>NewPassword</maml:name><maml:description><maml:para>Specifies a new password value. This value is stored as an encrypted string. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you and wait for a password. </maml:para><maml:para>-NewPassword (Read-Host -AsSecureString "New Password") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OldPassword</maml:name><maml:description><maml:para>Specifies the most recent password value. This value is processed as a encrypted string. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you and wait for a password. </maml:para><maml:para>-OldPassword (Read-Host -AsSecureString "Old Password") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Reset</maml:name><maml:description><maml:para>Specifies to reset the password on an account. When you use this parameter, you must set the NewPassword parameter. You do not need to specify the OldPassword parameter. </maml:para><maml:para>The following example shows how to use this parameter to set a new password. This command will prompt you then wait for a password. </maml:para><maml:para>-Reset -NewPassword (Read-Host -AsSecureString "New Password") </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>NewPassword</maml:name><maml:description><maml:para>Specifies a new password value. This value is stored as an encrypted string. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you and wait for a password. </maml:para><maml:para>-NewPassword (Read-Host -AsSecureString "New Password") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue><dev:type><maml:name>SecureString</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OldPassword</maml:name><maml:description><maml:para>Specifies the most recent password value. This value is processed as a encrypted string. </maml:para><maml:para>The following example shows how to set this parameter. This command will prompt you and wait for a password. </maml:para><maml:para>-OldPassword (Read-Host -AsSecureString "Old Password") </maml:para></maml:description><command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue><dev:type><maml:name>SecureString</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Reset</maml:name><maml:description><maml:para>Specifies to reset the password on an account. When you use this parameter, you must set the NewPassword parameter. You do not need to specify the OldPassword parameter. </maml:para><maml:para>The following example shows how to use this parameter to set a new password. This command will prompt you then wait for a password. </maml:para><maml:para>-Reset -NewPassword (Read-Host -AsSecureString "New Password") </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. This cmdlet does not work when connected to Global Catalog port. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountPassword 'CN=Jeremy Los,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the password of the user account with DistinguishedName: 'CN=Jeremy Los,OU=Accounts,DC=Fabrikam,DC=com' to 'p@ssw0rd'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountPassword -Identity tmakovec -OldPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "qwert@12345" -Force) </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the password of the user account with SamAccountName: tmakovec to 'qwert@12345'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADAccountPassword -Identity saradavi Please enter the current password for 'CN=Sara Davis,CN=Users,DC=Fabrikam,DC=com' Password:********** Please enter the desired password for 'CN=Sara Davis,CN=Users,DC=Fabrikam,DC=com' Password:*********** Repeat Password:*********** </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the password of the user account with DistinguishedName: 'CN=Sara Davis,CN=Users,DC=Fabrikam,DC=com' (user is prompted for old and new password). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$newPassword = (Read-Host -Prompt "Provide New Password" -AsSecureString); Set-ADAccountPassword -Identity mollyd -NewPassword $newPassword -Reset Provide New Password: ********** </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Prompts the user for a new password that is stored in a temporary variable named $newPassword, then uses it to reset the password for the user account with SamAccountName: mollyd. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\Users\administrator.FABRIKAM> set-adaccountpassword "CN=Molly Dempsey,OU=AccountDeptOU,DC=AppNC" -server "dsp13a24:60000" Please enter the current password for 'CN=mollyd,OU=AccountDeptOU,DC=AppNC' Password:********** Please enter the desired password for 'CN=mollyd,OU=AccountDeptOU,DC=AppNC' Password:********** Repeat Password:********** </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the password of the user account with DistinguishedName: 'CN=mollyd,OU=AccountDeptOU,DC=AppNC' in the AD LDS instance: "dsp13a24:60000" (user is prompted for old and new password). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291108</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADAuthenticationPolicy</command:name><maml:description><maml:para>Modifies an Active Directory Domain Services authentication policy object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADAuthenticationPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADAuthenticationPolicy cmdlet modifies the properties of an Active Directory® Domain Services authentication policy. Commonly used attributes of the object can be specified by the parameters of this cmdlet. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy to modify. You can specify an authentication policy object by using a distinguished name (DN), a GUID, or a name. You can also use the Identity parameter to specify a variable that contains an authentication policy object, or you can use the pipeline operator to pass an authentication policy object to the Identity parameter. To get an authentication policy object, use the Get-ADAuthenticationPolicy cmdlet. </maml:para><maml:para>Use the Instance parameter to specify an authentication policy object to use as a template for the object being modified. Do not specify both the Instance parameter and the Identity parameter. </maml:para><maml:para>For more information about how the Instance concept is used in Active Directory Domain Services cmdlets, see about_ActiveDirectory_Instance.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADAuthenticationPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies a list of values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a parameter. To identify an attribute, specify the LDAP Display Name defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that are cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a parameter. To modify an object property, you must specify the LDAP display name. You can modify more than one property by specifying a comma-separated list. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComputerAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the security descriptor definition language (SDDL) string of the security descriptor used to determine if the computer can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComputerTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable ticket granting tickets (TGTs) for computer accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates whether the authentication policy is enforced. Specify $True to set the authentication policy to enforced. Specify $False to set the authentication policy to not enforced.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove the values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies a list of values for an object property that replaces the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the service can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the service can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for service accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the users can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the users can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for user accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADAuthenticationPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an ADAuthenticationPolicy object to use to update the actual ADAuthenticationPolicy object. When you specify this parameter, any modifications made to the modified copy of the object are also made to the corresponding ADAuthenticationPolicy object. The cmdlet only updates the object properties that have changed. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object.</maml:para><maml:para>To get the ADAuthenticationPolicy object to use to update the ADAuthenticationPolicy on which the cmdlet runs, use the Get-ADAuthenticationPolicy cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies a list of values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a parameter. To identify an attribute, specify the LDAP Display Name defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that are cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a parameter. To modify an object property, you must specify the LDAP display name. You can modify more than one property by specifying a comma-separated list. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComputerAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the security descriptor definition language (SDDL) string of the security descriptor used to determine if the computer can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComputerTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable ticket granting tickets (TGTs) for computer accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates whether the authentication policy is enforced. Specify $True to set the authentication policy to enforced. Specify $False to set the authentication policy to not enforced.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an ADAuthenticationPolicy object to use to update the actual ADAuthenticationPolicy object. When you specify this parameter, any modifications made to the modified copy of the object are also made to the corresponding ADAuthenticationPolicy object. The cmdlet only updates the object properties that have changed. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object.</maml:para><maml:para>To get the ADAuthenticationPolicy object to use to update the ADAuthenticationPolicy on which the cmdlet runs, use the Get-ADAuthenticationPolicy cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove the values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies a list of values for an object property that replaces the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the service can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the service can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for service accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserAllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Specifies an access control expression used to determine from which devices the users can authenticate.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserAllowedToAuthenticateTo</maml:name><maml:description><maml:para>Specifies the SDDL string of the security descriptor used to determine if the users can authenticate to this account. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserTGTLifetimeMins</maml:name><maml:description><maml:para>Specifies the lifetime in minutes for non-renewable TGTs for user accounts. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAuthenticationPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an authentication policy object. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more objects.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Modify properties of a specified authentication policy</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Set-ADAuthenticationPolicy -Identity AuthenticationPolicy01 -Description "testDescription" -UserTGTLifetimeMins 45 </dev:code><dev:remarks><maml:para>This command modifies the description and the UserTGTLifetimeMins properties of the specified authentication policy. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Modify properties of an authentication policy by using an Instance.</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> $authPolicy = Get-ADAuthenticationPolicy -Identity AuthenticationPolicy02 PS C:\> $authPolicy.Description = 'testDescription' PS C:\> $authPolicy.UserTGTLifetimeMins = 60 PS C:\> Set-ADAuthenticationPolicy -Instance $authPolicy </dev:code><dev:remarks><maml:para>This example first gets the authentication policy named AuthenticationPolicy02 by using the Get-ADAuthenticationPolicy cmdlet. The authentication policy object is stored in the variable named $authPolicy. </maml:para><maml:para>The next commands modify the properties of the object in the variable, and the final command specifies the Instance parameter to commit the changes to the authentication policy stored in the $authPolicy variable. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 3: Modify multiple authentication policies </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Get-ADAuthenticationPolicy -Filter 'UserTGTLifetimeMins -le 50' | Set-ADAuthenticationPolicy -UserTGTLifetimeMins 60 </dev:code><dev:remarks><maml:para>This command uses the Get-ADAuthenticationPolicy cmdlet with the Filter parameter to get all authentication policies that have the UserTGTLifetimeMins value set below 50 minutes. The pipeline operator then passes the result of the filter to Set-AdAuthenticationPolicy, which sets the new UserTGTLifetimeMins value to 60 minutes.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 4: Replace an existing property value </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> Set-ADAuthenticationPolicy AuthenticationPolicy03 -Replace @{description="New Description"} </dev:code><dev:remarks><maml:para>This command replaces the existing description property for AuthenticationPolicy03 with the new description specified by the Replace parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=313377</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADAuthenticationPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADAuthenticationPolicySilo</command:name><maml:description><maml:para>Modifies an Active Directory Domain Services authentication policy silo object. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADAuthenticationPolicySilo</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADAuthenticationPolicySilo cmdlet modifies the properties of an Active Directory® Domain Services authentication policy silo. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory Domain Services authentication policy to modify. You can specify an authentication policy object by using a distinguished name (DN), a GUID, or a name. You can also use the Identity parameter to specify a variable that contains an authentication policy object, or you can use the pipeline operator to pass an authentication policy object to the Identity parameter. To get an authentication policy object, use the Get-ADAuthenticationPolicycmdlet. </maml:para><maml:para>Use the Instance parameter to specify an authentication policy object to use as a template for the object being modified. Do not specify both the Instance parameter and the Identity parameter. </maml:para><maml:para>For more information about how the Instance concept is used in Active Directory Domain Services cmdlets, see about_ActiveDirectory_Instance.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADAuthenticationPolicySilo</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies a list of values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a parameter. To identify an attribute, specify the LDAP Display Name defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that are cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a parameter. To modify an object property, you must specify the LDAP display name. You can modify more than one property by specifying a comma-separated list. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComputerAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to computer accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates whether the authentication policy is enforced. Specify $True to set the authentication policy to enforced. Specify $False to set the authentication policy to not enforced.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove the values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies a list of values for an object property that replaces the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to managed service accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to user accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADAuthenticationPolicySilo</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an ADAuthenticationPolicySilo object to use to update the actual ADAuthenticationPolicySilo object. When you specify this parameter, any modifications made to the modified copy of the object are also made to the corresponding ADAuthenticationPolicySilo object. The cmdlet only updates the object properties that have changed. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object.</maml:para><maml:para>To get the ADAuthenticationPolicySilo object to use to update the ADAuthenticationPolicySilo on which the cmdlet runs, use the Get-ADAuthenticationPolicySilo cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies a list of values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a parameter. To identify an attribute, specify the LDAP Display Name defined for it in the Active Directory Domain Services schema. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that are cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a parameter. To modify an object property, you must specify the LDAP display name. You can modify more than one property by specifying a comma-separated list. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComputerAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to computer accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description for the object. This parameter sets the value of the description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enforce</maml:name><maml:description><maml:para>Indicates whether the authentication policy is enforced. Specify $True to set the authentication policy to enforced. Specify $False to set the authentication policy to not enforced.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats: --Distinguished Name --GUID --Name</maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an ADAuthenticationPolicySilo object to use to update the actual ADAuthenticationPolicySilo object. When you specify this parameter, any modifications made to the modified copy of the object are also made to the corresponding ADAuthenticationPolicySilo object. The cmdlet only updates the object properties that have changed. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object.</maml:para><maml:para>To get the ADAuthenticationPolicySilo object to use to update the ADAuthenticationPolicySilo on which the cmdlet runs, use the Get-ADAuthenticationPolicySilo cmdlet.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Indicates whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are: --$False or 0 --$True or 1 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove the values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies a list of values for an object property that replaces the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must specify the LDAP display name. </maml:para><maml:para>Specify the attribute and the value of the attribute in the following format: @{'AttributeLDAPDisplayName'=value}. </maml:para><maml:para>To specify multiple values for an attribute, specify a comma separated list the values for the display name. You can specify values for more than one attribute by using semicolons to separate attribute value pairs. </maml:para><maml:para>When specifying the Add, Remove, Replace and Clear parameters together, the operations are performed in the following order: --Remove --Add --Replace --Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServiceAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to managed service accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserAuthenticationPolicy</maml:name><maml:description><maml:para>Specifies the authentication policy that applies to user accounts.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts an account object.</maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns one or more objects.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Modify an authentication policy silo</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Set-ADAuthenticationPolicySilo -Name AuthenticationPolicySilo01 -UserAuthenticationPolicy ‘AuthenticationPolicy1’ </dev:code><dev:remarks><maml:para>This command modifies the user authentication policy for the authentication policy silo named AuthenticationPolicySilo01.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Modify multiple properties of an authentication policy silo</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\> $authPolicySilo = Get-ADAuthenticationPolicySilo -Identity AuthenticationPolicySilo02 PS C:\> $authPolicySilo.Description = 'testDescription' PS C:\> $authPolicySilo.Enforce = $False PS C:\> Set-ADAuthenticationPolicySilo –Instance $authPolicySilo </dev:code><dev:remarks><maml:para>This example first gets an authentication policy silo object and stores it in the variable named $authPolicySilo. Properties of the authentication policy silo are then modified, and finally the contents of the variable are written to the authentication policy silo by using the Instance parameter.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 3: Modify multiple authentication policy silo objects by filtering</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-ADAuthenticationPolicySilo -Filter 'UserAuthenticationPolicy -eq "AuthenticationPolicy01"' | Set-ADAuthenticationPolicySilo -UserAuthenticationPolicy AuthenticationPolicy02 </dev:code><dev:remarks><maml:para>This example first gets all authentication policy silos that match the filter specified by the Filter parameter for Get-ADAuthenticationPolicySilo. The results of the filter are then passed to Set-ADAuthenticationPolicySilo by using the pipeline operator. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 4: Replace a value in an authentication policy silo object</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Set-ADAuthenticationPolicySilo -Name AuthenticationPolicySilo03 -Replace @{description="New Description"} </dev:code><dev:remarks><maml:para>This command replaces the description for the authentication policy silo object named AuthenticationPolicySilo03.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=298364</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADAuthenticationPolicySilo</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADCentralAccessPolicy</command:name><maml:description><maml:para>Modifies a central access policy in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADCentralAccessPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADCentralAccessPolicy cmdlet can be used to modify a central access policy in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADCentralAccessPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADCentralAccessPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a central access policy object to use to update the actual central access policy object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding central access policy object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update central access policy objects that have been retrieved by using the Get-ADCentralAccessPolicy cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADCentralAccessPolicy cmdlet to retrieve an instance of the object. The object is modified by using the Windows PowerShell command line. Then the Set-ADCentralAccessPolicy cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$objectInstance = Get-ADCentralAccessPolicy -Identity "Finance Policy" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$objectInstance.Description = "For finance only." </maml:para><maml:para>Step3: Save your changes to the object </maml:para><maml:para>Set-ADCentralAccessPolicy -Instance $objectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Policy,CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a central access policy object to use to update the actual central access policy object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding central access policy object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update central access policy objects that have been retrieved by using the Get-ADCentralAccessPolicy cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADCentralAccessPolicy cmdlet to retrieve an instance of the object. The object is modified by using the Windows PowerShell command line. Then the Set-ADCentralAccessPolicy cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$objectInstance = Get-ADCentralAccessPolicy -Identity "Finance Policy" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$objectInstance.Description = "For finance only." </maml:para><maml:para>Step3: Save your changes to the object </maml:para><maml:para>Set-ADCentralAccessPolicy -Instance $objectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessPolicy</command:parameterValue><dev:type><maml:name>ADCentralAccessPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADCentralAccessPolicy object is received by the Identity parameter. </maml:para><maml:para>A ADCentralAccessPolicy object that was retrieved by using the Get-ADCentralAccessPolicy cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified ADCentralAccessPolicy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADCentralAccessPolicy "Finance Policy" -Description "For the Finance Department." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Updates the central access policy named "Finance Policy" to include the description "For the Finance Department." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessPolicy "Finance Policy" | Set-ADCentralAccessPolicy -Description "For the Finance Department." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the central access policy named "Finance Policy", and then sets its description to "For the Finance Department." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291109</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADCentralAccessRule</command:name><maml:description><maml:para>Modifies a central access rule in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADCentralAccessRule</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADCentralAccessRule cmdlet can be used to modify a central access rule in a central access policy that is stored in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADCentralAccessRule</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CurrentAcl</maml:name><maml:description><maml:para>This parameter specifies the currently effective ACL of the central access rule. The current ACL grants access to target resources once the central access policy containing this rule is published. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProposedAcl</maml:name><maml:description><maml:para>Specifies the proposed ACL of the central access rule. The proposed ACL allows an administrator to audit the results of access requests to target resources specified in the resource condition without affecting the current system. To view the logs, go to Event Viewer or other audit tools to view the logs. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResourceCondition</maml:name><maml:description><maml:para>Specifies the resource condition of the central access rule. The resource condition specifies a list of criteria to scope the resources. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADCentralAccessRule</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an central access rule object to use to update the actual central access rule object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding central access rule object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update central access rule objects that have been retrieved by using the Get-ADCentralAccessRule cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADCentralAccessRule cmdlet to retrieve an instance of the object. The object is modified by using the Windows PowerShell command line. Then the Set-ADCentralAccessRule cmdlet saves the changes to the central access rule object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$objectInstance = Get-ADCentralAccessRule -Identity "Finance Documents Rule" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$objectInstance.Description = "For finance documents." </maml:para><maml:para>Step 3: Save your changes to the object </maml:para><maml:para>Set-ADCentralAccessRule -Instance $objectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CurrentAcl</maml:name><maml:description><maml:para>This parameter specifies the currently effective ACL of the central access rule. The current ACL grants access to target resources once the central access policy containing this rule is published. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Finance Documents Rule,CN=Central Access Rules,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue><dev:type><maml:name>ADCentralAccessRule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an central access rule object to use to update the actual central access rule object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding central access rule object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update central access rule objects that have been retrieved by using the Get-ADCentralAccessRule cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADCentralAccessRule cmdlet to retrieve an instance of the object. The object is modified by using the Windows PowerShell command line. Then the Set-ADCentralAccessRule cmdlet saves the changes to the central access rule object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$objectInstance = Get-ADCentralAccessRule -Identity "Finance Documents Rule" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$objectInstance.Description = "For finance documents." </maml:para><maml:para>Step 3: Save your changes to the object </maml:para><maml:para>Set-ADCentralAccessRule -Instance $objectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADCentralAccessRule</command:parameterValue><dev:type><maml:name>ADCentralAccessRule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProposedAcl</maml:name><maml:description><maml:para>Specifies the proposed ACL of the central access rule. The proposed ACL allows an administrator to audit the results of access requests to target resources specified in the resource condition without affecting the current system. To view the logs, go to Event Viewer or other audit tools to view the logs. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ResourceCondition</maml:name><maml:description><maml:para>Specifies the resource condition of the central access rule. The resource condition specifies a list of criteria to scope the resources. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicyEntry</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A ADCentralAccessPolicyEntry object is received by the Identity parameter. </maml:para><maml:para>A ADCentralAccessPolicyEntry object that was retrieved by using the Get-ADCentralAccessPolicyEntry cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADCentralAccessPolicyEntry</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified ADCentralAccessPolicyEntry object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$departmentResourceProperty = Get-ADResourceProperty Department $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})" Set-ADCentralAccessRule "Finance Documents Rule" -ResourceCondition $resourceCondition </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the central access rule named "Finance Documents Rule" with a new resource condition. The resource condition scopes the resources to ones containing the value 'Finance' in their 'Department' resource property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$countryClaimType = Get-ADClaimType Country; $departmentClaimType = Get-ADClaimType Department; $countryResourceProperty = Get-ADResourceProperty Country; $departmentResourceProperty = Get-ADResourceProperty Department; $financeException = Get-ADGroup FinanceException; $financeAdmin = Get-ADGroup FinanceAdmin; $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})" $currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;" + $financeException.SID.Value + ")(A;;0x1301bf;;;" + $financeAdmin.SID.Value + ")(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER." + $countryClaimType.Name + " Any_of @RESOURCE." + $countryResourceProperty.Name + ") && (@USER." + $departmentClaimType.Name + " Any_of @RESOURCE." + $departmentResourceProperty.Name + ")))"; Set-ADCentralAccessRule "Finance Documents Rule" -ResourceCondition $resourceCondition -CurrentAcl $currentAcl </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the central access rule named "Finance Documents Rule" with a new resource condition and new permissions. </maml:para><maml:para>The new rule specifies that documents should only be read by members of the Finance department. Members of the Finance department should only be able to access documents in their own country. Only Finance Administrators should have write access. The rule allows an exception for members of the FinanceException group. This group will have read access. </maml:para><maml:para>Targeting: </maml:para><maml:para>Resource.Department Contains Finance </maml:para><maml:para>Access rules: </maml:para><maml:para>Allow Read User.Country=Resource.Country AND User.department = Resource.Department </maml:para><maml:para>Allow Full control User.MemberOf(FinanceAdmin) </maml:para><maml:para>Allow Read User.Country=Resource.Country AND User.department = Resource.Department </maml:para><maml:para>Allow Read User.MemberOf(FinanceException) </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADCentralAccessRule "Finance Documents Rule" | Set-ADCentralAccessRule -Description "For finance documents." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the central access rule named "Finance Documents Rule", and set the description to "For finance documents." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291110</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADClaimTransformLink</command:name><maml:description><maml:para>Applies a claims transformation to one or more cross-forest trust relationships in Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADClaimTransformLink</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADClaimTransformLink cmdlet can be used to apply a claims transformation to one or more cross-forest trust relationships in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADClaimTransformLink</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=fabrikam.com,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADTrustInstance". </maml:para><maml:para>-Identity $ADTrustInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrust</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Policy</maml:name><maml:description><maml:para>Specifies the claims transformation policy to apply to the cross-forest trust relationship. This parameter does not receive pipeline input. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustRole</maml:name><maml:description><maml:para>An enumeration of the link types. Used to specify which links on the trust relationships should the claims transformation apply to. Allowable values are: Trusted and Trusting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Trusted</command:parameterValue><command:parameterValue required="true" variableLength="false">Trusting</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=fabrikam.com,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADTrustInstance". </maml:para><maml:para>-Identity $ADTrustInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrust</command:parameterValue><dev:type><maml:name>ADTrust</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Policy</maml:name><maml:description><maml:para>Specifies the claims transformation policy to apply to the cross-forest trust relationship. This parameter does not receive pipeline input. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustRole</maml:name><maml:description><maml:para>An enumeration of the link types. Used to specify which links on the trust relationships should the claims transformation apply to. Allowable values are: Trusted and Trusting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADTrustRole</command:parameterValue><dev:type><maml:name>ADTrustRole</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADTrust</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A trust object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADTrust</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimTransformPolicy DenyAllPolicy -DenyAll; Set-ADClaimTransformLink "corp.contoso.com" -Policy DenyAllPolicy -TrustRole Trusted Set-ADClaimTransformLink "corp.contoso.com" -Policy DenyAllPolicy -TrustRole Trusting </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply the claims transformation policy 'DenyAllPolicy' to the trust "corp.contoso.com". The rule is applied to where this domain acts as both the trusted and trusting domain in the trust. Effectively, the rule is applied to both claims coming in to this domain from its trust partner, and claims flowing out of this domain towards its trust partner. </maml:para><maml:para>Since the specified transformation rule denies all claims to be sent or received, this domain will now deny all claims from being sent to or received from the other domain (the trust partner). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimTransformPolicy AllowAllExceptCompanyAndDepartmentPolicy -AllowAllExcept Company,Department; Get-ADTrust "corp.contoso.com" | Set-ADClaimTransformLink -Policy AllowAllExceptCompanyAndDepartmentPolicy -TrustRole Trusted </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply th the claims transformation policy 'AllowAllExceptCompanyAndDepartmentPolicy' to the trust "corp.contoso.com". The rule is applied to where this domain acts as the trusted domain in the trust. Effectively, the rule is applied to claims flowing out of this domain towards its trust partner. </maml:para><maml:para>Since the specified transformation rule allows all claims to be sent or received except 'Company' and 'Department', this domain will now allow all claims except the two from being sent to the other domain (the trust partner). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>New-ADClaimTransformPolicy HumanResourcesToHrPolicy -Rule 'C1:[Type=="ad://ext/Department:88ce6e1cc00e9524", Value=="Human Resources", ValueType=="string"] => issue(Type=C1.Type, Value="HR", ValueType=C1.ValueType);'; Set-ADClaimTransformLink "corp.contoso.com" -Policy HumanResourcesToHrPolicy -TrustRole Trusting </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Apply the claims transformation policy ' HumanResourcesToHrPolicy' to the trust "corp.contoso.com". The rule is applied to where this domain acts as the trusting domain in the trust. Effectively, the rule is applied to claims coming in to this domain from its trust partner. </maml:para><maml:para>Since the specified transformation rule transforms the value 'Human Resources' into 'HR' in the claim ad://ext/Department:88ce6e1cc00e9524', this domain will now transform the claim value received from the other domain (the trust partner) from 'Human Resources' to 'HR'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291111</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADClaimTransformPolicy</command:name><maml:description><maml:para>Sets the properties of a claims transformation policy in Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADClaimTransformPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADClaimTransformPolicy cmdlet can be used to set the properties of a claims transformation policy in Active Directory. A claims transformation policy object contains a set of rules authored in the transformation rule language. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies one of the following as valid identities for the ADClaimTransformPolicy object: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DenyAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that denies all claims to be sent or received. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies one of the following as valid identities for the ADClaimTransformPolicy object: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that allows all claims to be sent or received. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies one of the following as valid identities for the ADClaimTransformPolicy object: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that allows all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies one of the following as valid identities for the ADClaimTransformPolicy object: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DenyAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the claims transformation policy sets a claims transformation rule that denies all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimTransformPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies one of the following as valid identities for the ADClaimTransformPolicy object: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Rule</maml:name><maml:description><maml:para>Represents the claims transformation rule. To specify the rule, you can either (1) type the rule in a text file, and then pass the file to the cmdlet (recommended), or (2) type the rule inline. </maml:para><maml:para>For example, the following commands demonstrate how to create a new claims transformation policy object with the rule specified in a text file named Rule.txt located in a temporary folder C:\temp. </maml:para><maml:para>$rule = Get-Content C:\temp\rule.txt; </maml:para><maml:para>New-ADClaimTransformPolicy MyRule -Rule $rule </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimTransformPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new claims transformation policy object. </maml:para><maml:para>You can use an instance of an existing claims transformation policy object as a template or you can construct a new claims transformation policy object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claims transformation policy object. </maml:para><maml:para>Method 1: Use an existing claims transformation policy object as a template for a new object. To retrieve an instance of an existing claims transformation policy object, use a cmdlet such as Get-ADClaimTransformPolicy. Then provide this object to the Instance parameter of the New-ADClaimTransformPolicy cmdlet to create a new claims transformation policy object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimTransformPolicy -Identity "Allow All except Finance Policy" </maml:para><maml:para>New-ADClaimTransformPolicy -Name "Allow All Except Pii Policy" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADClaimTransformPolicy and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimTransformPolicy cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy </maml:para><maml:para>$objectInstance.Description = "For finance only." </maml:para><maml:para>New- DClaimTransformPolicy -Name "Deny All except Finance Policy" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that allows all claims to be sent or received. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that allows all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue><dev:type><maml:name>ADClaimType[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DenyAll</maml:name><maml:description><maml:para>When this parameter is specified, the policy sets a claims transformation rule that denies all claims to be sent or received. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DenyAllExcept</maml:name><maml:description><maml:para>When this parameter is specified, the claims transformation policy sets a claims transformation rule that denies all claims to be sent or received except for the specified claim types. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADClaimType[]</command:parameterValue><dev:type><maml:name>ADClaimType[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies one of the following as valid identities for the ADClaimTransformPolicy object: </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=DenyAllPolicy,CN=Claims Transformation Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new claims transformation policy object. </maml:para><maml:para>You can use an instance of an existing claims transformation policy object as a template or you can construct a new claims transformation policy object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claims transformation policy object. </maml:para><maml:para>Method 1: Use an existing claims transformation policy object as a template for a new object. To retrieve an instance of an existing claims transformation policy object, use a cmdlet such as Get-ADClaimTransformPolicy. Then provide this object to the Instance parameter of the New-ADClaimTransformPolicy cmdlet to create a new claims transformation policy object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimTransformPolicy -Identity "Allow All except Finance Policy" </maml:para><maml:para>New-ADClaimTransformPolicy -Name "Allow All Except Pii Policy" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADClaimTransformPolicy and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimTransformPolicy cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy </maml:para><maml:para>$objectInstance.Description = "For finance only." </maml:para><maml:para>New- DClaimTransformPolicy -Name "Deny All except Finance Policy" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimTransformPolicy</command:parameterValue><dev:type><maml:name>ADClaimTransformPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Rule</maml:name><maml:description><maml:para>Represents the claims transformation rule. To specify the rule, you can either (1) type the rule in a text file, and then pass the file to the cmdlet (recommended), or (2) type the rule inline. </maml:para><maml:para>For example, the following commands demonstrate how to create a new claims transformation policy object with the rule specified in a text file named Rule.txt located in a temporary folder C:\temp. </maml:para><maml:para>$rule = Get-Content C:\temp\rule.txt; </maml:para><maml:para>New-ADClaimTransformPolicy MyRule -Rule $rule </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A claim transform policy object is received by the Identity parameter. </maml:para><maml:para>A claim transform policy object that was retrieved by using the Get-ADClaimTransformPolicycmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTransformPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified claim transform policy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADClaimTransformPolicy DenyAllPolicy -DenyAll </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the transformation rule on the claims transformation policy named 'DenyAllPolicy' to deny all claims, both those that are sent as well as those that are received. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADClaimTransformPolicy AllowAllExceptCompanyAndDepartmentPolicy -AllowAllExcept Company,Department </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the transformation rule on the claims transformation policy named 'AllowAllExceptCompanyAndDepartmentPolicy' to allow all claims to be sent or received except for the claims Company and Department. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADClaimTransformPolicy HumanResourcesToHrPolicy -Rule 'C1:[Type=="ad://ext/Department:88ce6e1cc00e9524", Value=="Human Resources", ValueType=="string"] => issue(Type=C1.Type, Value="HR", ValueType=C1.ValueType);' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the transformation rule on the claims transformation policy named 'HumanResourcesToHrPolicy' to transform the value 'Human Resources' to 'HR' in the claim 'ad://ext/Department:88ce6e1cc00e9524'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$rule = Get-Content C:\rule.txt Set-ADClaimTransformPolicy MyRule -Rule $rule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the transformation rule on the claims transformation policy named 'MyRule' with the rule specified in C:\rule.txt. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291112</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADClaimType</command:name><maml:description><maml:para>Modify a claim type in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADClaimType</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADClaimType cmdlet can be used to modify a claim type in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>Specifies the names, GUIDs or DNs of the schema classes to which this claim type is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type. The display name of the claim type must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", "Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", "Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SourceAttribute</maml:name><maml:description><maml:para>Specifies an Active Directory attribute from which this claim type is based, and from which the claim value is obtained. The input must be the distinguished name (DN), Name, or GUID of the attribute definition in the schema. </maml:para><maml:para>Acceptable values include attributes of the following schema class objects: </maml:para><maml:para>- User, InetOrgPerson, Computer, ManagedServiceAccount, GroupManagedServiceAccount, and Auxiliary class objects </maml:para><maml:para>Except: </maml:para><maml:para>- Attributes marked as defunct in the schema </maml:para><maml:para>- Blocked attributes such as dBCSPwd, lmPwdHistory, and unicodePwd </maml:para><maml:para>- Attributes that are not replicated </maml:para><maml:para>- Attributes that are not available on read-only domain controllers </maml:para><maml:para>- Attributes with syntaxes not based on the following </maml:para><maml:para>- String Object (DS-DN) </maml:para><maml:para>- String (Unicode) </maml:para><maml:para>- Boolean </maml:para><maml:para>- Integer </maml:para><maml:para>- Large Integer </maml:para><maml:para>- String (OID) </maml:para><maml:para>- String (SD) </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>Specifies the names, GUIDs or DNs of the schema classes to which this claim type is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type. The display name of the claim type must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", "Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", "Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>Specifies the names, GUIDs or DNs of the schema classes to which this claim type is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type. The display name of the claim type must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SourceOID</maml:name><maml:description><maml:para>Use to configure a certificate-based claim type source. For example, use this parameter to create certificate-based claim types when you want to use smartcard logon claims for authorization decisions. This parameter uses the string representation of an object identifier (OID) from the issuance policy found in the certificate and on the certificate template when using Active Directory Certificate Services. An example of an OID is "1.3.6.1.4.1.311.47.2.5". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimType</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>Specifies the names, GUIDs or DNs of the schema classes to which this claim type is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type. The display name of the claim type must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", "Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", "Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SourceTransformPolicy</maml:name><maml:description><maml:para>Indicates that the claim type is sourced from the claims transformation policy engine.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADClaimType</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an claim type object to use as a template for a new claim type object. </maml:para><maml:para>You can use an instance of an existing claim type object as a template or you can construct a new claim type object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claim type object. </maml:para><maml:para>Method 1: Use an existing claim type object as a template for a new object. To retrieve an instance of an existing claim type object, use a cmdlet such as Get-ADClaimType. Then provide this object to the Instance parameter of the New-ADClaimType cmdlet to create a new claim type object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimType -Identity "Employee Type" </maml:para><maml:para>New-ADClaimType -Name " Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new claim type and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimType cmdlet to create the new claim type object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimType </maml:para><maml:para>$objectInstance.Description = Employee Type can be full-time, intern or contractor." </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToClasses</maml:name><maml:description><maml:para>Specifies the names, GUIDs or DNs of the schema classes to which this claim type is applied. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the claim type. The display name of the claim type must be unique. The display name of a claim type can be used as an identity in other Active Directory cmdlets. For example, if the display name of a claim type is "Employee Type", then you can use 'Get-ADClaimType -Identity "Employee Type"' to retrieve the claim type. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the claim type is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Country,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an claim type object to use as a template for a new claim type object. </maml:para><maml:para>You can use an instance of an existing claim type object as a template or you can construct a new claim type object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new claim type object. </maml:para><maml:para>Method 1: Use an existing claim type object as a template for a new object. To retrieve an instance of an existing claim type object, use a cmdlet such as Get-ADClaimType. Then provide this object to the Instance parameter of the New-ADClaimType cmdlet to create a new claim type object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADClaimType -Identity "Employee Type" </maml:para><maml:para>New-ADClaimType -Name " Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new claim type and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADClaimType cmdlet to create the new claim type object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADClaimType </maml:para><maml:para>$objectInstance.Description = Employee Type can be full-time, intern or contractor." </maml:para><maml:para>New-ADClaimType -Name "Employee Type" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RestrictValues</maml:name><maml:description><maml:para>This parameter is used to specify whether the claim type may have values outside of the SuggestedValues. If this is set to true, then the claim should only have values specified in the SuggestedValues. Note that Active Directory does not enforce this restriction. It is up to the applications that use these claims to enforce the restriction. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SourceAttribute</maml:name><maml:description><maml:para>Specifies an Active Directory attribute from which this claim type is based, and from which the claim value is obtained. The input must be the distinguished name (DN), Name, or GUID of the attribute definition in the schema. </maml:para><maml:para>Acceptable values include attributes of the following schema class objects: </maml:para><maml:para>- User, InetOrgPerson, Computer, ManagedServiceAccount, GroupManagedServiceAccount, and Auxiliary class objects </maml:para><maml:para>Except: </maml:para><maml:para>- Attributes marked as defunct in the schema </maml:para><maml:para>- Blocked attributes such as dBCSPwd, lmPwdHistory, and unicodePwd </maml:para><maml:para>- Attributes that are not replicated </maml:para><maml:para>- Attributes that are not available on read-only domain controllers </maml:para><maml:para>- Attributes with syntaxes not based on the following </maml:para><maml:para>- String Object (DS-DN) </maml:para><maml:para>- String (Unicode) </maml:para><maml:para>- Boolean </maml:para><maml:para>- Integer </maml:para><maml:para>- Large Integer </maml:para><maml:para>- String (OID) </maml:para><maml:para>- String (SD) </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SourceOID</maml:name><maml:description><maml:para>Use to configure a certificate-based claim type source. For example, use this parameter to create certificate-based claim types when you want to use smartcard logon claims for authorization decisions. This parameter uses the string representation of an object identifier (OID) from the issuance policy found in the certificate and on the certificate template when using Active Directory Certificate Services. An example of an OID is "1.3.6.1.4.1.311.47.2.5". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SourceTransformPolicy</maml:name><maml:description><maml:para>Indicates that the claim type is sourced from the claims transformation policy engine.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the claim type. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", "Full-time employee"); </maml:para><maml:para>$intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student employee"); </maml:para><maml:para>$contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", "Contract employee"); </maml:para><maml:para>New-ADClaimType "Employee Type" -SourceAttribute employeeType -SuggestedValues $fullTime,$intern,$contractor </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue><dev:type><maml:name>ADSuggestedValueEntry[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimType</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADClaimType Title -SourceAttribute title </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the user claim type with display name 'Title' to source from the Active Directory attribute 'title'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$fullTime = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("FTE", "Full-Time", "Full-time employee"); $intern = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Intern", "Intern", "Student employee"); $contractor = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contractor", "Contractor", "Contract employee"); Set-ADClaimType "Employee Type" -SuggestedValues $fullTime,$intern,$contractor </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the suggested values of the user claim type with display name 'Employee Type' to 'FTE', 'Intern', and 'Contractor. Applications using this claim type would allow their users to specify one of the suggested values as this claim type's value. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADclaimType "Bitlocker Enabled" -SourceOID "1.3.6.1.4.1.311.67.1.1" -Enabled $FALSE </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the source OID of the claim type with display name 'Bitlocker Enabled' to '1.3.6.1.4.1.311.67.1.1'. Disable the claim type. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Set-ADClaimType SourceForest -SourceTransformPolicy </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the claim type named 'SourceForest' to source from the claims transformation policy engine. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291113</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADComputer</command:name><maml:description><maml:para>Modifies an Active Directory computer object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADComputer</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADComputer cmdlet modifies the properties of an Active Directory computer object. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory computer to modify. You can identify a computer by its distinguished name Members (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localComputerObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADComputer cmdlet to retrieve a computer object and then pass the object through the pipeline to Set-ADComputer. </maml:para><maml:para>The Instance parameter provides a way to update a computer by applying the changes made to a copy of the computer object. When you set the Instance parameter to a copy of an Active Directory computer object that has been modified, the Set-ADComputer cmdlet makes the same changes to the original computer object. To get a copy of the object to modify, use the Get-ADComputer object. When you specify the Instance parameter you should not pass the identity parameter. For more information about the Instance parameter, see the Instance parameter description. For more information about how the instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance. </maml:para><maml:para>The following examples show how to modify the Location property of a computer object by using three methods: </maml:para><maml:para>-By specifying the Identity and the Location parameters </maml:para><maml:para>-By passing a computer object through the pipeline and specifying the Location parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the Location property for the saraDavisLaptop computer by using the Identity and Location parameters. </maml:para><maml:para>Set-ADComputer -Identity SaraDavisLaptop -Location "W4013" </maml:para><maml:para>Method 2: Modify the Location property for the saraDavisLaptop computer by passing the computer object through the pipeline and specifying the Location parameter. </maml:para><maml:para>Get-ADComputer SaraDavisLaptop | Set-ADcomputer -Location "W4013" </maml:para><maml:para>Method 3: Modify the Location property for the saraDavisLaptop computer by using the Windows PowerShell command line to modify a local instance of the computer object. Then set the Instance parameter to the local instance. </maml:para><maml:para>$computer = Get-ADcomputer saraDavisLaptop </maml:para><maml:para>$computer.Location= "W4013" </maml:para><maml:para>Set-ADComputer -Instance $computer </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADComputer</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the computer. This parameter sets the DNSHostName property for a computer object. The LDAP Display Name for this property is "dNSHostName". </maml:para><maml:para>The following example shows how to set this parameter to a FQDN. </maml:para><maml:para>-DNSHostName "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account which may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>Specifies the location of the computer, such as an office number. This parameter sets the Location property of a computer. The LDAP display name (ldapDisplayName) of this property is "location". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Location "Test Lab A" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystem</maml:name><maml:description><maml:para>Specifies an operating system name. This parameter sets the OperatingSystem property of the computer object. The LDAP Display Name (ldapDisplayName) for this property is "operatingSystem". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OperatingSystem "Windows Server 2008 Enterprise" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystemHotfix</maml:name><maml:description><maml:para>Specifies an operating system hotfix name. This parameter sets the operatingSystemHotfix property of the computer object. The LDAP display name for this property is "operatingSystemHotfix". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-operatingSystemHotfix "523466" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystemServicePack</maml:name><maml:description><maml:para>Specifies the name of an operating system service pack. This parameter sets the OperatingSystemServicePack property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemServicePack". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemServicePack "Service Pack 2" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystemVersion</maml:name><maml:description><maml:para>Specifies an operating system version. This parameter sets the OperatingSystemVersion property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemVersion". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemVersion "6.0 (6001)" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this computer account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SAMAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADComputer</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a computer object to use to update the actual Active Directory computer object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update computer objects that have been retrieved by using the Get-ADComputer cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADComputer cmdlet to retrieve an instance of the ADComputer object. The object is modified by using the Windows PowerShell command line. Then the Set-ADComputer cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$computerInstance = Get-ADComputer -Identity saraDavisDesktop </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$computerInstance.Description = "Sara Davis Computer" </maml:para><maml:para>Step3: Save your changes to saraDavisDesktop. </maml:para><maml:para>Set-ADComputer -Instance $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the computer. This parameter sets the DNSHostName property for a computer object. The LDAP Display Name for this property is "dNSHostName". </maml:para><maml:para>The following example shows how to set this parameter to a FQDN. </maml:para><maml:para>-DNSHostName "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory computer object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager Account Name (sAMAccountName) </maml:para><maml:para>Example: SaraDavisDesktop </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If the identifier given is a DN, the partition to search will be computed from that DN. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a computer object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saraDavisDesktop,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a computer object instance named "computerInstance". </maml:para><maml:para>-Identity $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a computer object to use to update the actual Active Directory computer object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update computer objects that have been retrieved by using the Get-ADComputer cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADComputer cmdlet to retrieve an instance of the ADComputer object. The object is modified by using the Windows PowerShell command line. Then the Set-ADComputer cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$computerInstance = Get-ADComputer -Identity saraDavisDesktop </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$computerInstance.Description = "Sara Davis Computer" </maml:para><maml:para>Step3: Save your changes to saraDavisDesktop. </maml:para><maml:para>Set-ADComputer -Instance $computerInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADComputer</command:parameterValue><dev:type><maml:name>ADComputer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account which may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADKerberosEncryptionType</command:parameterValue><dev:type><maml:name>ADKerberosEncryptionType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>Specifies the location of the computer, such as an office number. This parameter sets the Location property of a computer. The LDAP display name (ldapDisplayName) of this property is "location". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Location "Test Lab A" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystem</maml:name><maml:description><maml:para>Specifies an operating system name. This parameter sets the OperatingSystem property of the computer object. The LDAP Display Name (ldapDisplayName) for this property is "operatingSystem". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OperatingSystem "Windows Server 2008 Enterprise" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystemHotfix</maml:name><maml:description><maml:para>Specifies an operating system hotfix name. This parameter sets the operatingSystemHotfix property of the computer object. The LDAP display name for this property is "operatingSystemHotfix". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-operatingSystemHotfix "523466" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystemServicePack</maml:name><maml:description><maml:para>Specifies the name of an operating system service pack. This parameter sets the OperatingSystemServicePack property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemServicePack". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemServicePack "Service Pack 2" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OperatingSystemVersion</maml:name><maml:description><maml:para>Specifies an operating system version. This parameter sets the OperatingSystemVersion property of the computer object. The LDAP display name (ldapDisplayName) for this property is "operatingSystemVersion". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-OperatingSystemVersion "6.0 (6001)" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this computer account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SAMAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A computer object is received by the Identity parameter. </maml:para><maml:para>A computer object that was retrieved by using the Get-ADComputer cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADComputer</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified computer object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work when connected to Global Catalog port. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADComputer "FABRIKAM-SRV1" -ServicePrincipalName @{Replace="MSSQLSVC/FABRIKAM-SRV1.FABRIKAM.COM:1456","MSOLAPSVC.3/FABRIKAM-SRV1.FABRIKAM.COM:analyze"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Modify the SPN value for a given computer. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADComputer "FABRIKAM-SRV1" -Location "NA/HQ/Building A" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Modify the location for a given computer. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADComputer "FABRIKAM-SRV1" -ManagedBy "CN=SQL Administrator 01,OU=UserAccounts,OU=Managed,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the managed by attribute value for a given computer using the SAM account name of the user. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$comp = Get-ADComputer "FABRIKAM-SRV1"; $comp.Location = "NA/HQ/Building A"; $comp.ManagedBy = "CN=SQL Administrator 01,OU=UserAccounts,OU=Managed,DC=FABRIKAM,DC=COM"; Set-ADComputer -Instance $comp </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the location and managed-by attributes of a given computer using the instance parameter set. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291114</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputer</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADComputerServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADDefaultDomainPasswordPolicy</command:name><maml:description><maml:para>Modifies the default password policy for an Active Directory domain.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADDefaultDomainPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADDefaultDomainPasswordPolicy cmdlet modifies the properties of the default password policy for a domain. You can modify property values by using the cmdlet parameters. </maml:para><maml:para>The Identity parameter specifies the domain whose default password policy you want modify. You can identify a domain by its Distinguished Name (DN), GUID, Security Identifier (SID), DNS domain name, or NETBIOS name. You can also set the parameter to an ADDomain object variable, or pass an ADDomain object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomain cmdlet to retrieve a domain object and then pass the object through the pipeline to the Set-ADDomainDefaultPasswordPolicy cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADDefaultDomainPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDefaultDomainPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComplexityEnabled</maml:name><maml:description><maml:para>Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain two of the following three character types: </maml:para><maml:para>Uppercase characters (A, B, C, D, E, ...) </maml:para><maml:para>Lowercase characters (a, b, c, d, e, ...) </maml:para><maml:para>Numerals (0, 1, 2, 3, ...) </maml:para><maml:para>This parameter sets the ComplexityEnabled property of a password policy. </maml:para><maml:para>Possible values for this parameter include: </maml:para><maml:para>$false or 0 - Disables password complexity </maml:para><maml:para>$true or 1 - Enables password complexity </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ComplexityEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutDuration</maml:name><maml:description><maml:para>Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. You cannot login to an account that is locked until the lockout duration time period has expired. This parameter sets the lockoutDuration property of a password policy object. The LDAP display name (ldapDisplayName) of this property is "msDS-LockoutDuration". </maml:para><maml:para>The lockout duration must be greater than or equal to the lockout observation time for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. </maml:para><maml:para>Specify the lockout duration time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutDuration "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutDuration "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutDuration "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>LockoutDuration "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutObservationWindow</maml:name><maml:description><maml:para>Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. An account is locked when the number of unsuccessful login attempts exceeds the password policy lockout threshold. This parameter sets the lockoutObservationWindow property of a password policy object. The LDAP Display Name (ldapDisplayName) of this property is "msDS-lockoutObservationWindow". </maml:para><maml:para>The lockout observation window must be smaller than or equal to the lockout duration for a password policy. Use the LockoutDuration parameter to set the lockout duration time. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D:H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutObservationWindow "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutObservationWindow "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutObservationWindow "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-LockoutObservationWindow "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutThreshold</maml:name><maml:description><maml:para>Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. This number increases when the time between unsuccessful login attempts is less than the time specified for the lockout observation time window. This parameter sets the LockoutThreshold property of a password policy. </maml:para><maml:para>The following example shows how to set the lockout threshold to 3 login attempts. </maml:para><maml:para>-LockoutThreshold 3 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxPasswordAge</maml:name><maml:description><maml:para>Specifies the maximum length of time that you can have the same password. After this time period, the password expires and you must create a new one. </maml:para><maml:para>This parameter sets the maxPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "maxPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>MaxPasswordAge "2" </maml:para><maml:para>Set the time span to the previous 2 days </maml:para><maml:para>MaxPasswordAge "-2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>MaxPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>MaxPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>MaxPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordAge</maml:name><maml:description><maml:para>Specifies the minimum length of time before you can change a password. </maml:para><maml:para>This parameter sets the minPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "minPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>-MinPasswordAge "2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>-MinPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>-MinPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>-MinPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordLength</maml:name><maml:description><maml:para>Specifies the minimum number of characters that a password must contain. This parameter sets the MinPasswordLength property of the password policy. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinPasswordLength 15 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordHistoryCount</maml:name><maml:description><maml:para>Specifies the number of previous passwords to save. A user cannot reuse a password in the list of saved passwords. This parameter sets the PasswordHistoryCount property for a password policy. </maml:para><maml:para>The following example shows how to set this parameter to save 10 previous passwords. </maml:para><maml:para>-PasswordHistoryCount 10 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReversibleEncryptionEnabled</maml:name><maml:description><maml:para>Specifies whether the directory must store passwords using reversible encryption. This parameter sets the ReversibleEncryption property for a password policy. Possible values for this parameter include the following: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ReversibleEncryptionEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComplexityEnabled</maml:name><maml:description><maml:para>Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain two of the following three character types: </maml:para><maml:para>Uppercase characters (A, B, C, D, E, ...) </maml:para><maml:para>Lowercase characters (a, b, c, d, e, ...) </maml:para><maml:para>Numerals (0, 1, 2, 3, ...) </maml:para><maml:para>This parameter sets the ComplexityEnabled property of a password policy. </maml:para><maml:para>Possible values for this parameter include: </maml:para><maml:para>$false or 0 - Disables password complexity </maml:para><maml:para>$true or 1 - Enables password complexity </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ComplexityEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDefaultDomainPasswordPolicy</command:parameterValue><dev:type><maml:name>ADDefaultDomainPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutDuration</maml:name><maml:description><maml:para>Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. You cannot login to an account that is locked until the lockout duration time period has expired. This parameter sets the lockoutDuration property of a password policy object. The LDAP display name (ldapDisplayName) of this property is "msDS-LockoutDuration". </maml:para><maml:para>The lockout duration must be greater than or equal to the lockout observation time for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. </maml:para><maml:para>Specify the lockout duration time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutDuration "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutDuration "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutDuration "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>LockoutDuration "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>0.00:30:00 (30 Minutes)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutObservationWindow</maml:name><maml:description><maml:para>Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. An account is locked when the number of unsuccessful login attempts exceeds the password policy lockout threshold. This parameter sets the lockoutObservationWindow property of a password policy object. The LDAP Display Name (ldapDisplayName) of this property is "msDS-lockoutObservationWindow". </maml:para><maml:para>The lockout observation window must be smaller than or equal to the lockout duration for a password policy. Use the LockoutDuration parameter to set the lockout duration time. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D:H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutObservationWindow "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutObservationWindow "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutObservationWindow "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-LockoutObservationWindow "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>0.00.30.00 (30 Minutes)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutThreshold</maml:name><maml:description><maml:para>Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. This number increases when the time between unsuccessful login attempts is less than the time specified for the lockout observation time window. This parameter sets the LockoutThreshold property of a password policy. </maml:para><maml:para>The following example shows how to set the lockout threshold to 3 login attempts. </maml:para><maml:para>-LockoutThreshold 3 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>0</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxPasswordAge</maml:name><maml:description><maml:para>Specifies the maximum length of time that you can have the same password. After this time period, the password expires and you must create a new one. </maml:para><maml:para>This parameter sets the maxPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "maxPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>MaxPasswordAge "2" </maml:para><maml:para>Set the time span to the previous 2 days </maml:para><maml:para>MaxPasswordAge "-2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>MaxPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>MaxPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>MaxPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>42.00:00:00 (42 days)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordAge</maml:name><maml:description><maml:para>Specifies the minimum length of time before you can change a password. </maml:para><maml:para>This parameter sets the minPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "minPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>-MinPasswordAge "2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>-MinPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>-MinPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>-MinPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue>1.00:00:00 (1day)</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordLength</maml:name><maml:description><maml:para>Specifies the minimum number of characters that a password must contain. This parameter sets the MinPasswordLength property of the password policy. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinPasswordLength 15 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>7</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordHistoryCount</maml:name><maml:description><maml:para>Specifies the number of previous passwords to save. A user cannot reuse a password in the list of saved passwords. This parameter sets the PasswordHistoryCount property for a password policy. </maml:para><maml:para>The following example shows how to set this parameter to save 10 previous passwords. </maml:para><maml:para>-PasswordHistoryCount 10 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue>24</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReversibleEncryptionEnabled</maml:name><maml:description><maml:para>Specifies whether the directory must store passwords using reversible encryption. This parameter sets the ReversibleEncryption property for a password policy. Possible values for this parameter include the following: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ReversibleEncryptionEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue>$true</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None </maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADDefaultDomainPasswordPolicy -Identity fabrikam.com -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MaxPasswordAge 10.00:00:00 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the default domain password policy for a given domain. Note: setting MaxPwdAge to 0 will convert it to 'never' (Int64.MinValue or -9223372036854775808 in the directory). </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser | Set-ADDefaultDomainPasswordPolicy -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 12 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the default domain password policy for the current logged on user domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291115</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDefaultDomainPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADDomain</command:name><maml:description><maml:para>Modifies an Active Directory domain.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADDomain</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADDomain cmdlet modifies the properties of an Active Directory domain. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the domain to modify. You can identify a domain by its distinguished name (DN), GUID, security identifier (SID), DNS domain name, or NetBIOS name. You can also set the Identity parameter to an object variable such as $<localDomainObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomain cmdlet to retrieve a domain object and then pass the object through the pipeline to the Set-ADDomain cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update a domain object by applying the changes made to a copy of the domain object. When you set the Instance parameter to a copy of an Active Directory domain object that has been modified, the Set-ADDomain cmdlet makes the same changes to the original domain object. To get a copy of the object to modify, use the Get-ADDomain object. When you specify the Instance parameter you should not pass the identity parameter. For more information about the Instance parameter, see the Instance parameter description. </maml:para><maml:para>The following examples show how to modify the ManagedBy property of a domain object by using three methods: </maml:para><maml:para>-By specifying the Identity and the ManagedBy parameters </maml:para><maml:para>-By passing a domain object through the pipeline and specifying the ManagedBy parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the ManagedBy property for the London domain by using the Identity and ManagedBy parameters. </maml:para><maml:para>Set-ADDomain -Identity London -ManagedBy SaraDavis </maml:para><maml:para>Method 2: Modify the ManagedBy property for the London domain by passing the London domain through the pipeline and specifying the ManagedBy parameter. </maml:para><maml:para>Get-ADDomain London | Set-ADDomain -ManagedBy SaraDavis </maml:para><maml:para>Method 3: Modify the ManagedBy property for the London domain by using the Windows PowerShell command line to modify a local instance of the London domain. Then set the Instance parameter to the local instance. </maml:para><maml:para>$domain = Get-ADDomain London </maml:para><maml:para>$domain.ManagedBy = SaraDavis </maml:para><maml:para>Set-ADDomain -Instance $domain. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADDomain</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedDNSSuffixes</maml:name><maml:description><maml:para>Modifies the list of domain name server (DNS) suffixes that are allowed in a domain. This parameter sets the value of the msDS-AllowedDNSSuffixes attribute of the domainDNS object. This parameter uses the following syntax to add, remove, replace, or clear DNS suffix values. </maml:para><maml:para>To add values: </maml:para><maml:para>-AllowedDNSSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-AllowedDNSSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-AllowedDNSSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-AllowedDNSSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove DNS suffix values: </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove DNS suffixes for a domain. </maml:para><maml:para>-AllowedDNSSuffixes@{Add= "corp.contoso.com,contoso.com"};@{Remove="corpnet.contoso.com"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LastLogonReplicationInterval</maml:name><maml:description><maml:para>Specifies the time, in days, within which the last logon time of an account must be replicated across all domain controllers in the domain. This parameter sets the LastLogonReplicationInterval property for a domain. The LDAP display name (ldapDisplayName) for this property is msDS-LogonTimeSyncInterval. The last logon replication interval must be at least one day. Setting the last logon replication interval to a low value can significantly increase domain-wide replication. </maml:para><maml:para>The following example shows how to set this parameter to 10 days. </maml:para><maml:para>-LastLogonReplicationInterval "10" </maml:para><maml:para>Note: This value does not apply when the domain mode is set to the value "Windows2000". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADDomain</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedDNSSuffixes</maml:name><maml:description><maml:para>Modifies the list of domain name server (DNS) suffixes that are allowed in a domain. This parameter sets the value of the msDS-AllowedDNSSuffixes attribute of the domainDNS object. This parameter uses the following syntax to add, remove, replace, or clear DNS suffix values. </maml:para><maml:para>To add values: </maml:para><maml:para>-AllowedDNSSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-AllowedDNSSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-AllowedDNSSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-AllowedDNSSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove DNS suffix values: </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove DNS suffixes for a domain. </maml:para><maml:para>-AllowedDNSSuffixes@{Add= "corp.contoso.com,contoso.com"};@{Remove="corpnet.contoso.com"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LastLogonReplicationInterval</maml:name><maml:description><maml:para>Specifies the time, in days, within which the last logon time of an account must be replicated across all domain controllers in the domain. This parameter sets the LastLogonReplicationInterval property for a domain. The LDAP display name (ldapDisplayName) for this property is msDS-LogonTimeSyncInterval. The last logon replication interval must be at least one day. Setting the last logon replication interval to a low value can significantly increase domain-wide replication. </maml:para><maml:para>The following example shows how to set this parameter to 10 days. </maml:para><maml:para>-LastLogonReplicationInterval "10" </maml:para><maml:para>Note: This value does not apply when the domain mode is set to the value "Windows2000". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a domain object to use to update the actual Active Directory domain object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update domain objects that have been retrieved by using the Get-ADDomain cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADDomain cmdlet to retrieve an instance of the ADDomain object. The object is modified by using the Windows PowerShell command line. Then the Set-ADDomain cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$domainInstance = Get-ADDomain -Identity "contosoDomain" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$domainInstance.ManagedBy = "saraDavisGroup" </maml:para><maml:para>Step3: Save your changes to contosoDomain. </maml:para><maml:para>Set-ADDomain -Instance $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedDNSSuffixes</maml:name><maml:description><maml:para>Modifies the list of domain name server (DNS) suffixes that are allowed in a domain. This parameter sets the value of the msDS-AllowedDNSSuffixes attribute of the domainDNS object. This parameter uses the following syntax to add, remove, replace, or clear DNS suffix values. </maml:para><maml:para>To add values: </maml:para><maml:para>-AllowedDNSSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-AllowedDNSSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-AllowedDNSSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-AllowedDNSSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove DNS suffix values: </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove DNS suffixes for a domain. </maml:para><maml:para>-AllowedDNSSuffixes@{Add= "corp.contoso.com,contoso.com"};@{Remove="corpnet.contoso.com"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue><dev:type><maml:name>ADDomain</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a domain object to use to update the actual Active Directory domain object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update domain objects that have been retrieved by using the Get-ADDomain cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADDomain cmdlet to retrieve an instance of the ADDomain object. The object is modified by using the Windows PowerShell command line. Then the Set-ADDomain cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$domainInstance = Get-ADDomain -Identity "contosoDomain" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$domainInstance.ManagedBy = "saraDavisGroup" </maml:para><maml:para>Step3: Save your changes to contosoDomain. </maml:para><maml:para>Set-ADDomain -Instance $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue><dev:type><maml:name>ADDomain</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LastLogonReplicationInterval</maml:name><maml:description><maml:para>Specifies the time, in days, within which the last logon time of an account must be replicated across all domain controllers in the domain. This parameter sets the LastLogonReplicationInterval property for a domain. The LDAP display name (ldapDisplayName) for this property is msDS-LogonTimeSyncInterval. The last logon replication interval must be at least one day. Setting the last logon replication interval to a low value can significantly increase domain-wide replication. </maml:para><maml:para>The following example shows how to set this parameter to 10 days. </maml:para><maml:para>-LastLogonReplicationInterval "10" </maml:para><maml:para>Note: This value does not apply when the domain mode is set to the value "Windows2000". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain object is received by the Identity parameter. </maml:para><maml:para>A domain object that was retrieved by using the Get-ADDomain cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified domain object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADDomain -Identity FABRIKAM -AllowedDNSSuffixes @{Replace="fabrikam.com","corp.fabrikam.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the value of AllowedDNSSuffixes to {"fabrikam.com","corp.fabrikam.com"} in domain "FABRIKAM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADDomain -Identity FABRIKAM -AllowedDNSSuffixes @{Add="corp.fabrikam.com"} Adds the value "corp.fabrikam.com" to the AllowedDNSSuffixes in domain "FABRIKAM". </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADDomain -Identity FABRIKAM -ManagedBy 'CN=Domain Admins,CN=Users,DC=FABRIKAM,DC=COM' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the ManagedBy property in domain "FABRIKAM" to 'CN=Domain Admins,CN=Users,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADDomain | Set-ADDomain -LastLogonReplicationInterval "10" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the LastLogonReplicationInterval of the current logged on user domain to "10". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291116</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomain</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADDomainMode</command:name><maml:description><maml:para>Sets the domain mode for an Active Directory domain.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADDomainMode</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by setting the DomainMode parameter. </maml:para><maml:para>The domain mode can be set to the following values that are listed in order of functionality from lowest to highest. </maml:para><maml:para>Windows2000Domain </maml:para><maml:para>Windows2003InterimDomain </maml:para><maml:para>Windows2003Domain </maml:para><maml:para>Windows2008Domain </maml:para><maml:para>Windows2008R2Domain </maml:para><maml:para>You can change the domain mode to a mode with higher functionality only. For example, if the domain mode for a domain is set to Windows 2003, you can use this cmdlet to change the mode to Windows 2008. However, in the same situation, you cannot use this cmdlet to change the domain mode from Windows 2003 to Windows 2000. </maml:para><maml:para>The Identity parameter specifies the Active Directory domain to modify. You can identify a domain by its distinguished name (DN), GUID, security identifier (SID), DNS domain name, or NetBIOS name. You can also set the Identity parameter to a domain object variable such as $<localADDomainObject>, or you can pass a domain object through the pipeline to the Identity parameter. For example, you can use the Get-ADDomain cmdlet to retrieve a domain object and then pass the object through the pipeline to the Set-ADDomainMode cmdlet. </maml:para><maml:para>The Set-ADDomainMode always prompts for permission unless you specify -confirm:$false. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADDomainMode</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>DomainMode</maml:name><maml:description><maml:para>Specifies the domain mode for an Active Directory domain. You can set the domain mode to one of the following values that are listed in order of functionality from least to most. </maml:para><maml:para>Windows2000Domain or 0 </maml:para><maml:para>Windows2003InterimDomain or 1 </maml:para><maml:para>Windows2003Domain or 2 </maml:para><maml:para>Windows2008Domain or 3 </maml:para><maml:para>Windows2008R2Domain or 4 </maml:para><maml:para>The following example shows how to set this parameter to Windows 2008 R2. </maml:para><maml:para>-DomainMode Windows2008R2Domain </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">UnknownDomain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2000Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2003InterimDomain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2003Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2008Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2008R2Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2012Domain</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2012R2Domain</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>DomainMode</maml:name><maml:description><maml:para>Specifies the domain mode for an Active Directory domain. You can set the domain mode to one of the following values that are listed in order of functionality from least to most. </maml:para><maml:para>Windows2000Domain or 0 </maml:para><maml:para>Windows2003InterimDomain or 1 </maml:para><maml:para>Windows2003Domain or 2 </maml:para><maml:para>Windows2008Domain or 3 </maml:para><maml:para>Windows2008R2Domain or 4 </maml:para><maml:para>The following example shows how to set this parameter to Windows 2008 R2. </maml:para><maml:para>-DomainMode Windows2008R2Domain </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomainMode</command:parameterValue><dev:type><maml:name>ADDomainMode</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory domain object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: DC=redmond,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370- </maml:para><maml:para>DNS domain name </maml:para><maml:para>Example: redmond.corp.contoso.com </maml:para><maml:para>NetBIOS domain name </maml:para><maml:para>Example: redmond </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a domain object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "DC=redmond,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a domain object instance named "domainInstance". </maml:para><maml:para>-Identity $domainInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDomain</command:parameterValue><dev:type><maml:name>ADDomain</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A domain object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADDomain</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified domain object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para><maml:para>This cmdlet does not work when connected to Global Catalog port. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADDomainMode -Identity fabrikam.com -DomainMode Windows2003Domain </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the DomainMode property of the fabrikam.com domain to Windows2003Domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$pdc = Get-ADDomainController -Discover -Service PrimaryDC Set-ADDomainMode -Identity $pdc.Domain -Server $pdc.HostName[0] -DomainMode Windows2003Domain </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the DomainMode of the current logged on user's domain to Windows2003Domain. The Set operation targets the PrimaryDC FSMO to apply the update. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291117</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADDomain</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADFineGrainedPasswordPolicy</command:name><maml:description><maml:para>Modifies an Active Directory fine grained password policy.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADFineGrainedPasswordPolicy</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADFineGrainedPasswordPolicy cmdlet modifies the properties of an Active Directory fine grained password policy. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory fine grained password policy to modify. You can identify a fine grained password policy by its distinguished name (DN), GUID or name. You can also set the Identity parameter to an object variable such as $<localFineGrainedPasswordPolicyObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADFineGrainedPasswordPolicy cmdlet to retrieve a fine grained password policy object and then pass the object through the pipeline to the Set-ADFineGrainedPasswordPolicy cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update a fine grained password policy object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory fine grained password policy object that has been modified, the Set-ADFineGrainedPasswordPolicy cmdlet makes the same changes to the original fine grained password policy object. To get a copy of the object to modify, use the Get-ADFineGrainedPasswordPolicy object. The Identity parameter is not allowed when you use the Instance parameter. For more information about the Instance parameter, see the Instance parameter description. For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance </maml:para><maml:para>The following examples show how to modify the Precedence property of a fine grained password policy object by using three methods: </maml:para><maml:para>-By specifying the Identity and the Precedence parameters </maml:para><maml:para>-By passing a fine grained password policy object through the pipeline and specifying the Precedence parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the Precedence property for the Level3Policyfine grained password policy by using the Identity and Precedence parameters. </maml:para><maml:para>Set-ADFineGrainedPasswordPolicy -Identity "Level3Policy" -Precedence 150 </maml:para><maml:para>Method 2: Modify the Precedence property for the Level3Policyfine grained password policy by passing the Level3Policyfine grained password policy through the pipeline and specifying the Precedence parameter. </maml:para><maml:para>Get-ADFineGrainedPasswordPolicy -Identity "Level3Policy"| Set-ADFineGrainedPasswordPolicy -Precedence 150 </maml:para><maml:para>Method 3: Modify the Precedence property for the Level3Policy fine grained password policy by using the Windows PowerShell command line to modify a local instance of the Level3Policyfine grained password policy. Then set the Instance parameter to the local instance. </maml:para><maml:para>$fineGrainedPasswordPolicy = Get-ADFineGrainedPasswordPolicy Level3Policy </maml:para><maml:para>$fineGrainedPasswordPolicy.Precedence = 150 </maml:para><maml:para>Set-ADFineGrainedPasswordPolicy -Instance $fineGrainedPasswordPolicy </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComplexityEnabled</maml:name><maml:description><maml:para>Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain two of the following three character types: </maml:para><maml:para>Uppercase characters (A, B, C, D, E, ...) </maml:para><maml:para>Lowercase characters (a, b, c, d, e, ...) </maml:para><maml:para>Numerals (0, 1, 2, 3, ...) </maml:para><maml:para>This parameter sets the ComplexityEnabled property of a password policy. </maml:para><maml:para>Possible values for this parameter include: </maml:para><maml:para>$false or 0 - Disables password complexity </maml:para><maml:para>$true or 1 - Enables password complexity </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ComplexityEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutDuration</maml:name><maml:description><maml:para>Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. You cannot login to an account that is locked until the lockout duration time period has expired. This parameter sets the lockoutDuration property of a password policy object. The LDAP display name (ldapDisplayName) of this property is "msDS-LockoutDuration". </maml:para><maml:para>The lockout duration must be greater than or equal to the lockout observation time for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. </maml:para><maml:para>Specify the lockout duration time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutDuration "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutDuration "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutDuration "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>LockoutDuration "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutObservationWindow</maml:name><maml:description><maml:para>Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. An account is locked when the number of unsuccessful login attempts exceeds the password policy lockout threshold. This parameter sets the lockoutObservationWindow property of a password policy object. The LDAP Display Name (ldapDisplayName) of this property is "msDS-lockoutObservationWindow". </maml:para><maml:para>The lockout observation window must be smaller than or equal to the lockout duration for a password policy. Use the LockoutDuration parameter to set the lockout duration time. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D:H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutObservationWindow "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutObservationWindow "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutObservationWindow "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-LockoutObservationWindow "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutThreshold</maml:name><maml:description><maml:para>Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. This number increases when the time between unsuccessful login attempts is less than the time specified for the lockout observation time window. This parameter sets the LockoutThreshold property of a password policy. </maml:para><maml:para>The following example shows how to set the lockout threshold to 3 login attempts. </maml:para><maml:para>-LockoutThreshold 3 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxPasswordAge</maml:name><maml:description><maml:para>Specifies the maximum length of time that you can have the same password. After this time period, the password expires and you must create a new one. </maml:para><maml:para>This parameter sets the maxPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "maxPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>MaxPasswordAge "2" </maml:para><maml:para>Set the time span to the previous 2 days </maml:para><maml:para>MaxPasswordAge "-2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>MaxPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>MaxPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>MaxPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordAge</maml:name><maml:description><maml:para>Specifies the minimum length of time before you can change a password. </maml:para><maml:para>This parameter sets the minPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "minPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>-MinPasswordAge "2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>-MinPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>-MinPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>-MinPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordLength</maml:name><maml:description><maml:para>Specifies the minimum number of characters that a password must contain. This parameter sets the MinPasswordLength property of the password policy. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinPasswordLength 15 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordHistoryCount</maml:name><maml:description><maml:para>Specifies the number of previous passwords to save. A user cannot reuse a password in the list of saved passwords. This parameter sets the PasswordHistoryCount property for a password policy. </maml:para><maml:para>The following example shows how to set this parameter to save 10 previous passwords. </maml:para><maml:para>-PasswordHistoryCount 10 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Precedence</maml:name><maml:description><maml:para>Specifies a value that defines the precedence of a fine-grained password policy among all fine-grained password policies. This parameter sets the Precedence property for a fine-grained password policy. The LDAP display name (ldapDisplayName) for this property is "msDS-PasswordSettingsPrecedence". </maml:para><maml:para>This value determines which password policy to use when more than one password policy applies to a user or group. When there is a conflict, the password policy that has the lower Precedence property value has higher priority. For example, if PasswordPolicy1 has a Precedence property value of 200 and PasswordPolicy2 has a Precedence property value of 100, PasswordPolicy2 is used. </maml:para><maml:para>Typically, password policy precedence values are assigned in multiples of 10 or 100, making it easier to add policies at a later time. For example, if you set the initial precedence values for your policies to 100 and 200, you can add another policy that has precedence value of 150. </maml:para><maml:para>If the specified Precedence parameter is already assigned to another password policy object, the cmdlet returns a terminating error. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Precedence 100 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReversibleEncryptionEnabled</maml:name><maml:description><maml:para>Specifies whether the directory must store passwords using reversible encryption. This parameter sets the ReversibleEncryption property for a password policy. Possible values for this parameter include the following: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ReversibleEncryptionEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADFineGrainedPasswordPolicy</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a fine-grained password policy object to use to update the actual Active Directory fine-grained password policy object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update fine-grained password policy objects that have been retrieved by using the Get-ADFineGrainedPasswordPolicy cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADFineGrainedPasswordPolicy cmdlet to retrieve an instance of the ADFineGrainedPasswordPolicy object. The object is modified by using the Windows PowerShell command line. Then the Set-ADFineGrainedPasswordPolicy cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicyLevel2 </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance.Precedence = 250 </maml:para><maml:para>Step3: Save your changes to PasswordPolicyLevel2. </maml:para><maml:para>Set-ADFineGrainedPasswordPolicy -Instance $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ComplexityEnabled</maml:name><maml:description><maml:para>Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain two of the following three character types: </maml:para><maml:para>Uppercase characters (A, B, C, D, E, ...) </maml:para><maml:para>Lowercase characters (a, b, c, d, e, ...) </maml:para><maml:para>Numerals (0, 1, 2, 3, ...) </maml:para><maml:para>This parameter sets the ComplexityEnabled property of a password policy. </maml:para><maml:para>Possible values for this parameter include: </maml:para><maml:para>$false or 0 - Disables password complexity </maml:para><maml:para>$true or 1 - Enables password complexity </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ComplexityEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory fine-grained password policy object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name (distinguishedName) </maml:para><maml:para>Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Name (name) </maml:para><maml:para>Example: PasswordPolicyLevel1 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a fine-grained password policy object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a fine-grained password policy object instance named "fineGrainedPasswordPolicyInstance". </maml:para><maml:para>-Identity $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a fine-grained password policy object to use to update the actual Active Directory fine-grained password policy object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update fine-grained password policy objects that have been retrieved by using the Get-ADFineGrainedPasswordPolicy cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADFineGrainedPasswordPolicy cmdlet to retrieve an instance of the ADFineGrainedPasswordPolicy object. The object is modified by using the Windows PowerShell command line. Then the Set-ADFineGrainedPasswordPolicy cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicyLevel2 </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$fineGrainedPasswordPolicyInstance.Precedence = 250 </maml:para><maml:para>Step3: Save your changes to PasswordPolicyLevel2. </maml:para><maml:para>Set-ADFineGrainedPasswordPolicy -Instance $fineGrainedPasswordPolicyInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADFineGrainedPasswordPolicy</command:parameterValue><dev:type><maml:name>ADFineGrainedPasswordPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutDuration</maml:name><maml:description><maml:para>Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. You cannot login to an account that is locked until the lockout duration time period has expired. This parameter sets the lockoutDuration property of a password policy object. The LDAP display name (ldapDisplayName) of this property is "msDS-LockoutDuration". </maml:para><maml:para>The lockout duration must be greater than or equal to the lockout observation time for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. </maml:para><maml:para>Specify the lockout duration time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutDuration "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutDuration "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutDuration "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>LockoutDuration "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutObservationWindow</maml:name><maml:description><maml:para>Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. An account is locked when the number of unsuccessful login attempts exceeds the password policy lockout threshold. This parameter sets the lockoutObservationWindow property of a password policy object. The LDAP Display Name (ldapDisplayName) of this property is "msDS-lockoutObservationWindow". </maml:para><maml:para>The lockout observation window must be smaller than or equal to the lockout duration for a password policy. Use the LockoutDuration parameter to set the lockout duration time. </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D:H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time to 2 days </maml:para><maml:para>-LockoutObservationWindow "2" </maml:para><maml:para>Set the time to 4 hours </maml:para><maml:para>-LockoutObservationWindow "4:00" </maml:para><maml:para>Set the time to 5 minutes </maml:para><maml:para>-LockoutObservationWindow "0:5" </maml:para><maml:para>Set the time to 45 seconds </maml:para><maml:para>-LockoutObservationWindow "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LockoutThreshold</maml:name><maml:description><maml:para>Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. This number increases when the time between unsuccessful login attempts is less than the time specified for the lockout observation time window. This parameter sets the LockoutThreshold property of a password policy. </maml:para><maml:para>The following example shows how to set the lockout threshold to 3 login attempts. </maml:para><maml:para>-LockoutThreshold 3 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxPasswordAge</maml:name><maml:description><maml:para>Specifies the maximum length of time that you can have the same password. After this time period, the password expires and you must create a new one. </maml:para><maml:para>This parameter sets the maxPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "maxPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>MaxPasswordAge "2" </maml:para><maml:para>Set the time span to the previous 2 days </maml:para><maml:para>MaxPasswordAge "-2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>MaxPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>MaxPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>MaxPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordAge</maml:name><maml:description><maml:para>Specifies the minimum length of time before you can change a password. </maml:para><maml:para>This parameter sets the minPasswordAge property of a password policy. The LDAP Display Name (ldapDisplayName) for this property is "minPwdAge". </maml:para><maml:para>Specify the time interval in the following format. </maml:para><maml:para>[-]D.H:M:S.F </maml:para><maml:para>where: </maml:para><maml:para>[-] = Specifies a negative time interval </maml:para><maml:para>D = Days (0 to 10675199) </maml:para><maml:para>H = Hours (0 to 23) </maml:para><maml:para>M = Minutes (0 to 59) </maml:para><maml:para>S = Seconds (0 to 59) </maml:para><maml:para>F= Fractions of a second (0 to 9999999) </maml:para><maml:para>Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. </maml:para><maml:para>The following examples show how to set this parameter. </maml:para><maml:para>Set the time span to 2 days </maml:para><maml:para>-MinPasswordAge "2" </maml:para><maml:para>Set the time span to 4 hours </maml:para><maml:para>-MinPasswordAge "4:00" </maml:para><maml:para>Set the time span to 5 minutes </maml:para><maml:para>-MinPasswordAge "0:5" </maml:para><maml:para>Set the time span to 45 seconds </maml:para><maml:para>-MinPasswordAge "0:0:45" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">TimeSpan</command:parameterValue><dev:type><maml:name>TimeSpan</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MinPasswordLength</maml:name><maml:description><maml:para>Specifies the minimum number of characters that a password must contain. This parameter sets the MinPasswordLength property of the password policy. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MinPasswordLength 15 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordHistoryCount</maml:name><maml:description><maml:para>Specifies the number of previous passwords to save. A user cannot reuse a password in the list of saved passwords. This parameter sets the PasswordHistoryCount property for a password policy. </maml:para><maml:para>The following example shows how to set this parameter to save 10 previous passwords. </maml:para><maml:para>-PasswordHistoryCount 10 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Precedence</maml:name><maml:description><maml:para>Specifies a value that defines the precedence of a fine-grained password policy among all fine-grained password policies. This parameter sets the Precedence property for a fine-grained password policy. The LDAP display name (ldapDisplayName) for this property is "msDS-PasswordSettingsPrecedence". </maml:para><maml:para>This value determines which password policy to use when more than one password policy applies to a user or group. When there is a conflict, the password policy that has the lower Precedence property value has higher priority. For example, if PasswordPolicy1 has a Precedence property value of 200 and PasswordPolicy2 has a Precedence property value of 100, PasswordPolicy2 is used. </maml:para><maml:para>Typically, password policy precedence values are assigned in multiples of 10 or 100, making it easier to add policies at a later time. For example, if you set the initial precedence values for your policies to 100 and 200, you can add another policy that has precedence value of 150. </maml:para><maml:para>If the specified Precedence parameter is already assigned to another password policy object, the cmdlet returns a terminating error. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Precedence 100 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReversibleEncryptionEnabled</maml:name><maml:description><maml:para>Specifies whether the directory must store passwords using reversible encryption. This parameter sets the ReversibleEncryption property for a password policy. Possible values for this parameter include the following: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ReversibleEncryptionEnabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A fine grained password policy object is received by the Identity parameter. </maml:para><maml:para>A fine grained password policy object that was retrieved by using the Get-ADFineGrainedPasswordPolicy cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified fine grained password policy object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADFineGrainedPasswordPolicy MyPolicy -Precedence 100 -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 12 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Update the Precedence, LockoutDuration, LockoutObservationWindow, ComplexityEnabled, ReversibleEncryptionEnabled, and MinPasswordLength properties on the FineGrainedPasswordPolicy object with name MyPolicy. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADFineGrainedPasswordPolicy 'CN=MyPolicy,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM' -MinPasswordLength 12 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the MinPasswordLength property on the FineGrainedPasswordPolicy object with DistinguishedName CN=MyPolicy,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$fgpp = Get-ADFineGrainedPasswordPolicy MyPolicy $fgpp.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00") $fgpp.LockoutThreshold = 10 $fgpp.MinPasswordLength = 8 $fgpp.PasswordHistoryCount = 24 Set-ADFineGrainedPasswordPolicy -Instance $fgpp </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the FineGrainedPasswordPolicy object with name MyPolicy, Update a set of properties on the object and then write the modifications back to the directory using the instance parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291118</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADFineGrainedPasswordPolicy</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADForest</command:name><maml:description><maml:para>Modifies an Active Directory forest.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADForest</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADForest cmdlet modifies the properties of an Active Directory forest. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory forest to modify. You can identify a forest by its fully qualified domain name (FQDN), GUID, DNS host name, or NetBIOS name. You can also set the Identity parameter to an object variable such as $<localADForestObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADForest cmdlet to retrieve a forest object and then pass the object through the pipeline to the Set-ADForest cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update a forest object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory forest object that has been modified, the Set-ADForest cmdlet makes the same changes to the original forest object. To get a copy of the object to modify, use the Get-ADForest object. The Identity parameter is not allowed when you use the Instance parameter. For more information about the Instance parameter, see the Instance parameter description. </maml:para><maml:para>The following examples show how to modify the UPNSuffixes property of a forest object by using three methods: </maml:para><maml:para>-By specifying the Identity and the UPNSuffixes parameters </maml:para><maml:para>-By passing a forest object through the pipeline and specifying the UPNSuffixes parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the UPNSuffixes property for the fabrikam.com forest by using the Identity and UPNSuffixes parameters. </maml:para><maml:para>Set-ADForest -Identity fabrikam.com -UPNSuffixes @{replace="fabrikam.com","fabrikam","corp.fabrikam.com"} </maml:para><maml:para>Method 2: Modify the UPNSuffixes property for the fabrikam.com forest by passing the fabrikam.com forest through the pipeline and specifying the UPNSuffixes parameter. </maml:para><maml:para>Get-ADForest -Identity fabrikam.com | Set-ADForest -UPNSuffixes @{replace="fabrikam.com","fabrikam","corp.fabrikam.com"} </maml:para><maml:para>Method 3: Modify the UPNSuffixes property for the fabrikam.com forest by using the Windows PowerShell command line to modify a local instance of the fabrikam.com forest. Then set the Instance parameter to the local instance. </maml:para><maml:para>$forest = Get-ADForest -Identity fabrikam.com </maml:para><maml:para>$forest.UPNSuffixes = "fabrikam.com","fabrikam","corp.fabrikam.com" </maml:para><maml:para>Set-ADForest -Instance $forest. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADForest</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory forest object by providing one of the following attribute values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>DNS host name </maml:para><maml:para>Example: dnsServer.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a forest object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to a forest object instance named "forestInstance". </maml:para><maml:para>-Identity $forestInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForest</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SPNSuffixes</maml:name><maml:description><maml:para>Modifies the list of service principal name (SPN) suffixes of the forest. This parameter sets the multi-valued msDS-SPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear SPN suffix values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-SPNSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-SPNSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-SPNSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-SPNSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove SPN suffix values </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove SPNSuffixes for a forest. </maml:para><maml:para>-@{Add="ContosoEurope", "ContosoAsia"};@{Remove="Contoso"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UPNSuffixes</maml:name><maml:description><maml:para>Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-UPNSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-UPNSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-UPNSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-UPNSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove UPN suffix values </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove UPN suffixes for a forest. </maml:para><maml:para>-UPNSuffixes @{Add="Fabrikam.Com", "Corp.Fabrikam.Com"}; @{Remove="NA.Fabrikam.Com","Europe.Fabrikam.Com"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory forest object by providing one of the following attribute values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>DNS host name </maml:para><maml:para>Example: dnsServer.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a forest object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to a forest object instance named "forestInstance". </maml:para><maml:para>-Identity $forestInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForest</command:parameterValue><dev:type><maml:name>ADForest</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SPNSuffixes</maml:name><maml:description><maml:para>Modifies the list of service principal name (SPN) suffixes of the forest. This parameter sets the multi-valued msDS-SPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear SPN suffix values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-SPNSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-SPNSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-SPNSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-SPNSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove SPN suffix values </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove SPNSuffixes for a forest. </maml:para><maml:para>-@{Add="ContosoEurope", "ContosoAsia"};@{Remove="Contoso"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UPNSuffixes</maml:name><maml:description><maml:para>Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-UPNSuffixes @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-UPNSuffixes @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-UPNSuffixes @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-UPNSuffixes $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove UPN suffix values </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove UPN suffixes for a forest. </maml:para><maml:para>-UPNSuffixes @{Add="Fabrikam.Com", "Corp.Fabrikam.Com"}; @{Remove="NA.Fabrikam.Com","Europe.Fabrikam.Com"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADForest</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A forest object is received by the Identity parameter. </maml:para><maml:para>A forest object that was retrieved by using the Get-ADForest cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADForest</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified forest object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADForest -Identity fabrikam.com -UPNSuffixes @{replace="fabrikam.com","fabrikam","corp.fabrikam.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the UPNSuffixes property on the fabrikam.com forest. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADForest -Identity fabrikam.com -SPNSuffixes @{add="corp.fabrikam.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Add corp.fabrikam.com to the SPNSuffixes property on the forest fabrikam.com </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADForest | Set-ADForest -SPNSuffixes @{Add="corp.fabrikam.com";Remove="fabrikam"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the forest of the current logged on user and update the SPNSuffixes property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADForest | Set-ADForest -UPNSuffixes $null </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get the forest of the current logged on user and clear the UPNSuffixes property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291119</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADForest</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADForestMode</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADForestMode</command:name><maml:description><maml:para>Sets the forest mode for an Active Directory forest.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADForestMode</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADForestMode cmdlet sets the Forest mode for an Active Directory forest. You specify the forest mode by setting the ForestMode parameter. The forest mode can be set to the following values that are listed in order of functionality from lowest to highest. </maml:para><maml:para>Windows2000Forest </maml:para><maml:para>Windows2003InterimForest </maml:para><maml:para>Windows2003Forest </maml:para><maml:para>Windows2008Forest </maml:para><maml:para>Windows2008R2Forest </maml:para><maml:para>The Identity parameter specifies the Active Directory forest to modify. You can identify a forest by its fully qualified domain name (FQDN), GUID, DNS host name, or NetBIOS name. You can also specify the forest by passing a forest object through the pipeline. For example, you can use the Get-ADForest cmdlet to retrieve a forest object and then pass the object through the pipeline to the Set-ADForestMode. </maml:para><maml:para>Set-ADForestMode will prompt for confirmation by default. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADForestMode</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory forest object by providing one of the following attribute values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>DNS host name </maml:para><maml:para>Example: dnsServer.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a forest object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to a forest object instance named "forestInstance". </maml:para><maml:para>-Identity $forestInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForest</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>ForestMode</maml:name><maml:description><maml:para>Specifies the forest mode for an Active Directory forest. The possible values for this parameter are: Windows2000Forest or 0 </maml:para><maml:para>Windows2003InterimForest or 1 </maml:para><maml:para>Windows2003Forest or 2 </maml:para><maml:para>Windows2008Forest or 3 </maml:para><maml:para>Windows2008R2Forest or 4 </maml:para><maml:para>The values are listed in order of functionality from least to most. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ForestMode Windows2008R2Forest </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">UnknownForest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2000Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2003InterimForest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2003Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2008Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2008R2Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2012Forest</command:parameterValue><command:parameterValue required="true" variableLength="false">Windows2012R2Forest</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>ForestMode</maml:name><maml:description><maml:para>Specifies the forest mode for an Active Directory forest. The possible values for this parameter are: Windows2000Forest or 0 </maml:para><maml:para>Windows2003InterimForest or 1 </maml:para><maml:para>Windows2003Forest or 2 </maml:para><maml:para>Windows2008Forest or 3 </maml:para><maml:para>Windows2008R2Forest or 4 </maml:para><maml:para>The values are listed in order of functionality from least to most. </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ForestMode Windows2008R2Forest </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForestMode</command:parameterValue><dev:type><maml:name>ADForestMode</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory forest object by providing one of the following attribute values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Example: corp.contoso.com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>DNS host name </maml:para><maml:para>Example: dnsServer.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to a forest object instance. </maml:para><maml:para>This example shows how to set the parameter to a fully qualified domain name. </maml:para><maml:para>-Identity "corp.contoso.com" </maml:para><maml:para>This example shows how to set this parameter to a forest object instance named "forestInstance". </maml:para><maml:para>-Identity $forestInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADForest</command:parameterValue><dev:type><maml:name>ADForest</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADForest</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A forest object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADForest</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified forest object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADForestMode -Identity fabrikam.com -ForestMode Windows2003Forest </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the ForestMode to Windows2003Forest in the forest fabrikam.com. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$currentForest = Get-ADForest Set-ADForestMode -Identity $currentForest -Server $currentForest.SchemaMaster -ForestMode Windows2008R2Forest </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the forest mode of the current logged on user's forest. The Set operation targets the Schema Master FSMO to apply the update. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291120</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADForest</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADGroup</command:name><maml:description><maml:para>Modifies an Active Directory group.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADGroup</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADGroup cmdlet modifies the properties of an Active Directory group. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory group to modify. You can identify a group by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localGroupObject>, or you can pass a group object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to retrieve a group object and then pass the object through the pipeline to the Set-ADGroup cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update a group object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory group object that has been modified, the Set-ADGroup cmdlet makes the same changes to the original group object. To get a copy of the object to modify, use the Get-ADGroup object. The Identity parameter is not allowed when you use the Instance parameter. For more information about the Instance parameter, see the Instance parameter description. For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance </maml:para><maml:para>The following examples show how to modify the Description property of a group object by using three methods: </maml:para><maml:para>-By specifying the Identity and the Description parameters </maml:para><maml:para>-By passing a group object through the pipeline and specifying the Description parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the Description property for the SecurityLevel2Access group by using the Identity and Description parameters. </maml:para><maml:para>Set-ADGroup -Identity SecurityLevel2Access -Description "Used to authorize Security Level 2 access." </maml:para><maml:para>Method 2: Modify the Description property for the SecurityLevel2Access group by passing the SecurityLevel2Access group through the pipeline and specifying the Description parameter. </maml:para><maml:para>Get-ADGroup -Identity "SecurityLevel2Access" | Set-ADGroup -Description "Used to authorize Security Level 2 access." </maml:para><maml:para>Method 3: Modify the <property> property for the SecurityLevel2Access group by using the Windows PowerShell command line to modify a local instance of the SecurityLevel2Access group. Then set the Instance parameter to the local instance. </maml:para><maml:para>$group = Get-ADGroup -Identity "SecurityLevel2Access" </maml:para><maml:para>$group.Description = "Used to authorize Security Level 2 access." </maml:para><maml:para>Set-ADGroup -Instance $group. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADGroup</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GroupCategory</maml:name><maml:description><maml:para>Specifies the category of the group. Possible values of this parameter are: </maml:para><maml:para>Distribution or 0 </maml:para><maml:para>Security or 1 </maml:para><maml:para>This parameter sets the GroupCategory property of the group. This parameter value combined with other group values sets the LDAP Display Name (ldapDisplayName) attribute named "groupType". </maml:para><maml:para>The following example shows how to specify that a group is a security group. </maml:para><maml:para>-GroupCategory security </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Distribution</command:parameterValue><command:parameterValue required="true" variableLength="false">Security</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GroupScope</maml:name><maml:description><maml:para>Specifies the group scope of the group. Possible values of this parameter are: </maml:para><maml:para>DomainLocal or 0 </maml:para><maml:para>Global or 1 </maml:para><maml:para>Universal or 2 </maml:para><maml:para>This parameter sets the GroupScope property of a group object to the specified value. The LDAP display name of this property is "groupType". </maml:para><maml:para>The following example shows two ways to set this parameter to DomainLocal. </maml:para><maml:para>-GroupScope DomainLocal </maml:para><maml:para>-GroupScope 0 </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">DomainLocal</command:parameterValue><command:parameterValue required="true" variableLength="false">Global</command:parameterValue><command:parameterValue required="true" variableLength="false">Universal</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADGroup</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a group object to use to update the actual Active Directory group object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update group objects that have been retrieved by using the Get-ADGroup cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADGroup cmdlet to retrieve an instance of the ADGroup object. The object is modified by using the Windows PowerShell command line. Then the Set-ADGroup cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$groupInstance = Get-ADGroup -Identity "SaraDavisReports" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$groupInstance.GroupScope= "Global" </maml:para><maml:para>Step3: Save your changes to "SaraDavisReports". </maml:para><maml:para>Set-ADGroup -Instance $groupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GroupCategory</maml:name><maml:description><maml:para>Specifies the category of the group. Possible values of this parameter are: </maml:para><maml:para>Distribution or 0 </maml:para><maml:para>Security or 1 </maml:para><maml:para>This parameter sets the GroupCategory property of the group. This parameter value combined with other group values sets the LDAP Display Name (ldapDisplayName) attribute named "groupType". </maml:para><maml:para>The following example shows how to specify that a group is a security group. </maml:para><maml:para>-GroupCategory security </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroupCategory</command:parameterValue><dev:type><maml:name>ADGroupCategory</maml:name><maml:uri /></dev:type><dev:defaultValue>Security</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GroupScope</maml:name><maml:description><maml:para>Specifies the group scope of the group. Possible values of this parameter are: </maml:para><maml:para>DomainLocal or 0 </maml:para><maml:para>Global or 1 </maml:para><maml:para>Universal or 2 </maml:para><maml:para>This parameter sets the GroupScope property of a group object to the specified value. The LDAP display name of this property is "groupType". </maml:para><maml:para>The following example shows two ways to set this parameter to DomainLocal. </maml:para><maml:para>-GroupScope DomainLocal </maml:para><maml:para>-GroupScope 0 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroupScope</command:parameterValue><dev:type><maml:name>ADGroupScope</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>Security Accounts Manager (SAM) Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavisreports </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a group object instance named "ADGroupInstance". </maml:para><maml:para>-Identity $ADGroupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a group object to use to update the actual Active Directory group object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update group objects that have been retrieved by using the Get-ADGroup cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADGroup cmdlet to retrieve an instance of the ADGroup object. The object is modified by using the Windows PowerShell command line. Then the Set-ADGroup cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$groupInstance = Get-ADGroup -Identity "SaraDavisReports" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$groupInstance.GroupScope= "Global" </maml:para><maml:para>Step3: Save your changes to "SaraDavisReports". </maml:para><maml:para>Set-ADGroup -Instance $groupInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADGroup</command:parameterValue><dev:type><maml:name>ADGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A group object is received by the Identity parameter. </maml:para><maml:para>A group object that was retrieved by using the Get-ADGroup cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADGroup</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>set-adgroup -server localhost:60000 -Identity "CN=AccessControl,DC=AppNC" -description "Access Group" -passthru DistinguishedName : CN=AccessControl,DC=AppNC GroupCategory : Security GroupScope : DomainLocal Name : AccessControl ObjectClass : group ObjectGUID : d65f5e8f-36da-4390-9840-8b9fde6282fc SID : S-1-510474493-936115905-2782881406-1264922549-3814061485-1557022459 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the description property of the group AccessControl to "Access Group" on an ADAM instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>get-adgroup -filter 'name -like "Access*"' | set-adgroup -description "Access Group" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Modify the description on all groups that have a name that starts with access via the pipeline. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>PS adam:\DC=AppNC> get-adgroup -filter 'name -like "Access*"' | set-adgroup -description "Access Group" PS adam:\DC=AppNC> $group = get-adgroup -server localhost:60000 -Identity "CN=AccessControl,DC=AppNC" PS adam:\DC=AppNC> $group.description = "Access Group" PS adam:\DC=AppNC> set-adgroup -Instance $group -passthru DistinguishedName : CN=AccessControl,DC=AppNC GroupCategory : Security GroupScope : DomainLocal Name : AccessControl ObjectClass : group ObjectGUID : d65f5e8f-36da-4390-9840-8b9fde6282fc SID : S-1-510474493-936115905-2782881406-1264922549-3814061485-1557022459 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the description property on the AccessControl group via the instance parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291121</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Add-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADGroupMember</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADPrincipalGroupMembership</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADObject</command:name><maml:description><maml:para>Modifies an Active Directory object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADObject cmdlet modifies the properties of an Active Directory object. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory object to modify. You can identify an object by its distinguished name (DN) or GUID. You can also set the Identity parameter to an object variable such as $<localObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADObject cmdlet to retrieve an object and then pass the object through the pipeline to the Set-ADObject cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update an object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory object that has been modified, the Set-ADObject cmdlet makes the same changes to the original object. To get a copy of the object to modify, use the Get-ADObject object. The Identity parameter is not allowed when you use the Instance parameter. For more information about the Instance parameter, see the Instance parameter description. For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance. </maml:para><maml:para>The following examples show how to modify the DisplayName property of an object by using three methods: </maml:para><maml:para>-By specifying the Identity and the DisplayName parameters </maml:para><maml:para>-By passing an object through the pipeline and specifying the DisplayName parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the DisplayName property for the SecurityLevel2AccessGroup object by using the Identity and DisplayName parameters. </maml:para><maml:para>Set-ADObject -Identity "SecurityLevel2AccessGroup" -DisplayName "Security Level 2" </maml:para><maml:para>Method 2: Modify the DisplayName property for the SecurityLevel2AccessGroup object by passing the SecurityLevel2AccessGroup object through the pipeline and specifying the DisplayName parameter. </maml:para><maml:para>Get-ADObject -Identity "SecurityLevel2AccessGroup" | Set-ADObject -DisplayName "Security Level 2" </maml:para><maml:para>Method 3: Modify the DisplayName property for the SecurityLevel2AccessGroup object by using the Windows PowerShell command line to modify a local instance of the SecurityLevel2AccessGroup object. Then set the Instance parameter to the local instance. </maml:para><maml:para>$adobject = Get-ADObject -Identity "SecurityLevel2AccessGroup" </maml:para><maml:para>$adobject.DisplayName = "Security Level 2" </maml:para><maml:para>Set-ADObject -Instance $adobject. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADObject</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an Active Directory object to use to update the actual Active Directory object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update Active Directory objects that have been retrieved by using the Get-ADObject cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADObject cmdlet to retrieve an instance of the object. The object is modified by using the Windows PowerShell command line. Then the Set-ADObject cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity "CN=someObject, DC=contoso,DC=com" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$objectInstance.Description = "New Description" </maml:para><maml:para>Step3: Save your changes to the object </maml:para><maml:para>Set-ADObject -Instance $objectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an Active Directory object to use to update the actual Active Directory object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update Active Directory objects that have been retrieved by using the Get-ADObject cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADObject cmdlet to retrieve an instance of the object. The object is modified by using the Windows PowerShell command line. Then the Set-ADObject cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity "CN=someObject, DC=contoso,DC=com" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$objectInstance.Description = "New Description" </maml:para><maml:para>Step3: Save your changes to the object </maml:para><maml:para>Set-ADObject -Instance $objectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An Active Directory object is received by the Identity parameter. Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>An object that was retrieved by using the Get-ADObject cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADObject 'CN=AntonioAl Direct Reports,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM' -Description 'Distribution List of Antonio Alwan Direct Reports' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the Description property on the object with DistinguishedName 'CN=AntonioAl Direct Reports,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADObject 'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM' -Add @{siteList='CN=BO3,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM'} -Partition 'CN=Configuration,DC=FABRIKAM,DC=COM' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Add the site 'CN=BO3,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM' to the property siteList on the object with DistinguishedName 'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$urlValues = @() $urlValues += "www.contoso.com" $urlValues += "www.fabrikam.com" Set-ADObject "cdadd380-d3a8-4fd1-9d30-5cf72d94a056" -Add @{url=$urlValues} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Add two new urls to the property urlValues in the object with objectGuid 'cdadd380-d3a8-4fd1-9d30-5cf72d94a056'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$urlValues = @() $urlValues += "www.contoso.com" $urlValues += "www.fabrikam.com" Set-ADObject "cdadd380-d3a8-4fd1-9d30-5cf72d94a056" -Replace @{url=$urlValues;description="Antonio Alwan"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Replaces the old values of the multi-valued attribute 'url' with the new values and sets the value of the attribute 'description'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADObject "cdadd380-d3a8-4fd1-9d30-5cf72d94a056" -Remove @{url="www.contoso.com"} -Replace @{description="Antonio Alwan (European Manager)"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Removes the specified value from the attribute 'url' and sets the value of the attribute 'description'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$myComp = Get-ADObject -identity "cdadd380-d3a8-4fd1-9d30-5cf72d94a056" -Properties "userAccountControl","description" #Now set the new account control using powershell bitwise OR operation (-bor) and set description $myComp.userAccountControl = $myComp.userAccountControl -bor 50 $myComp.description = "Setting a new UAC on the object" #Save the changes Set-ADObject -Instance $myComp </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets a new UAC bit on an object by updating the attribute 'userAccountControl' and setting the value of the attribute 'description'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 7 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>set-adobject "CN=InternalApps,DC=AppNC" -protectedFromAccidentalDeletion $true -server "FABRIKAM-SRV1:60000" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets container "CN=InternalApps,DC=AppNC" in an LDS instance to be protected from accidental deletion </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291122</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADOrganizationalUnit</command:name><maml:description><maml:para>Modifies an Active Directory organizational unit.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADOrganizationalUnit</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADOrganizationalUnit cmdlet modifies the properties of an Active Directory organizational unit. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory organizational unit to modify. You can identify an organizational unit by its distinguished name (DN) or GUID. </maml:para><maml:para>You can also set the Identity parameter to an object variable such as $<localADOrganizationalUnitObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADOrganizationalUnit cmdlet to retrieve an organizational unit object and then pass the object through the pipeline to the Set-ADOrganizationalUnit cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update an organizational unit object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory organizational unit object that has been modified, the Set-ADOrganizationalUnit cmdlet makes the same changes to the original organizational unit object. To get a copy of the object to modify, use the Get-ADOrganizationalUnit object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter, see the Instance parameter description. </maml:para><maml:para>For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance. </maml:para><maml:para>The following examples show how to modify the ManagedBy property of an organizational unit object by using three methods: </maml:para><maml:para>-By specifying the Identity and the ManagedBy parameters </maml:para><maml:para>-By passing an organizational unit object through the pipeline and specifying the ManagedBy parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the ManagedBy property for the "AccountingDepartment" organizational unit by using the Identity and ManagedBy parameters. </maml:para><maml:para>Set-ADOrganizationalUnit -Identity "AccountingDepartment" -ManagedBy "SaraDavisGroup" </maml:para><maml:para>Method 2: Modify the ManagedBy property for the "AccountingDepartment" organizational unit by passing the "AccountingDepartment" organizational unit through the pipeline and specifying the ManagedBy parameter. </maml:para><maml:para>Get-ADOrganizationalUnit -Identity ""AccountingDepartment"" | Set-ADOrganizationalUnit -ManagedBy "SaraDavisGroup" </maml:para><maml:para>Method 3: Modify the ManagedBy property for the "AccountingDepartment" organizational unit by using the Windows PowerShell command line to modify a local instance of the "AccountingDepartment" organizational unit. Then set the Instance parameter to the local instance. </maml:para><maml:para>$organizational unit = Get-ADOrganizationalUnit -Identity "AccountingDepartment" </maml:para><maml:para>$organizational unit.ManagedBy = "SaraDavisGroup" </maml:para><maml:para>Set-ADOrganizationalUnit -Instance $organizational unit. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADOrganizationalUnit</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the organizational unit's street address. This parameter sets the StreetAddress property of a organizational unit object. The LDAP display name (ldapDisplayName) of this property is "street". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADOrganizationalUnit</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an organizational unit object to use to update the actual Active Directory organizational unit object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update organizational unit objects that have been retrieved by using the Get-ADOrganizationalUnit cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADOrganizationalUnit cmdlet to retrieve an instance of the ADOrganizationalUnit object. The object is modified by using the Windows PowerShell command line. Then the Set-ADOrganizationalUnit cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$organizationalUnitInstance = Get-ADOrganizationalUnit -Identity "OU=Accounting,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$organizationalUnitInstance.ManagedBy = "CN=SaraDavisGroup,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>Step3: Save your changes to Accounting. </maml:para><maml:para>Set-ADOrganizationalUnit -Instance $organizationalUnitInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue><dev:type><maml:name>ADOrganizationalUnit</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of an organizational unit object to use to update the actual Active Directory organizational unit object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update organizational unit objects that have been retrieved by using the Get-ADOrganizationalUnit cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADOrganizationalUnit cmdlet to retrieve an instance of the ADOrganizationalUnit object. The object is modified by using the Windows PowerShell command line. Then the Set-ADOrganizationalUnit cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$organizationalUnitInstance = Get-ADOrganizationalUnit -Identity "OU=Accounting,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$organizationalUnitInstance.ManagedBy = "CN=SaraDavisGroup,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>Step3: Save your changes to Accounting. </maml:para><maml:para>Set-ADOrganizationalUnit -Instance $organizationalUnitInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADOrganizationalUnit</command:parameterValue><dev:type><maml:name>ADOrganizationalUnit</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the organizational unit's street address. This parameter sets the StreetAddress property of a organizational unit object. The LDAP display name (ldapDisplayName) of this property is "street". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An organizational unit object is received by the Identity parameter. </maml:para><maml:para>An organizational unit object that was retrieved by using the Get-ADOrganizationalUnit cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified organizational unit object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADOrganizationalUnit -Identity "OU=UserAccounts,DC=FABRIKAM,DC=COM" -Description "This Organizational Unit holds all of the users accounts of FABRIKAM.COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the description of the OrganizationalUnit with distinguishedName OU=UserAccounts,DC=FABRIKAM,DC=COM. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADOrganizationalUnit -Identity "OU=UserAccounts,DC=FABRIKAM,DC=COM" -ProtectedFromAccidentalDeletion $false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the ProtectedFromAccidentalDeletion property to $false on the OrganizationalUnit with distinguishedName OU=UserAccounts,DC=FABRIKAM,DC=COM. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADOrganizationalUnit -Identity "OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM" -Country "AU" -StreetAddress "45 Martens Place" -City Balmoral -State QLD -PostalCode 4171 -Replace @{co="Australia"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the Country, City and State, PostalCode and co properties on the OrganizationalUnit 'OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$EuropeSalesOU = Get-ADOrganizationalUnit "OU=Europe,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM" $EuropeSalesOU.Country = "UK" $EuropeSalesOU.StreetAddress = "22 Station Rd" $EuropeSalesOU.City = "QUARRINGTON" $EuropeSalesOU.PostalCode = "NG34 0NI" $EuropeSalesOU.co ="United Kingdom" Set-ADOrganizationalUnit -Instance $EuropeSalesOU </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Creates a new OrganizationalUnit using the OrganizationalUnit 'OU=Europe,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM' as a template. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADOrganizationalUnit -Identity "OU=Managed,DC=AppNC" -Server "FABRIKAM-SRV1:60000" -Country "UK" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the Country property of the OrganizationalUnit 'OU=Managed,DC=AppNC' in an AD LDS instance. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291123</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADOrganizationalUnit</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADReplicationConnection</command:name><maml:description><maml:para>Sets properties on Active Directory replication connections.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADReplicationConnection</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADReplicationConnection cmdlet sets properties on Active Directory replication connections. Connections are used to enable domain controllers to replicate with each other. A connection defines a one-way, inbound route from one domain controller, the source, to another domain controller, the destination. The Kerberos consistency checker (KCC) reuses existing connections where it can, deletes unused connections, and creates new connections if none exist that meet the current need. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADReplicationConnection</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationConnection</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicateFromDirectoryServer</maml:name><maml:description><maml:para>Specifies the domain controller to use as a source for this replication connection. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Specifies the schedule on which the source server is available for replication. </maml:para><maml:para>Replication occurs at intervals that administrators can schedule so that use of expensive WAN links is managed. Use this parameter to specify the replication intervals. For more information on how replication topology works, go to http://go.microsoft.com/fwlink/?LinkId=223932. </maml:para><maml:para>To specify the replication schedule, </maml:para><maml:para>1. Create a new Active Directory schedule object. </maml:para><maml:para>Example: </maml:para><maml:para>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; </maml:para><maml:para>2. Edit the schedule on the Active Directory schedule object. </maml:para><maml:para>Example: </maml:para><maml:para>$schedule.ResetSchedule(); </maml:para><maml:para>$schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); </maml:para><maml:para>3. Using the Active Directory schedule object, set the replication schedule of the connection </maml:para><maml:para>Set-ADReplicationConnection "5f98e288-19e0-47a0-9677-57f05ed54f6b" -ReplicationSchedule $schedule </maml:para><maml:para>For more information on the ActiveDirectorySchedule class, go to http://go.microsoft.com/fwlink/?LinkId=223933. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADReplicationConnection</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationConnection</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationConnection</command:parameterValue><dev:type><maml:name>ADReplicationConnection</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of an Active Directory object to use as a template for a new Active Directory object. </maml:para><maml:para>You can use an instance of an existing Active Directory object as a template or you can construct a new Active Directory object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new Active Directory object. </maml:para><maml:para>Method 1: Use an existing Active Directory object as a template for a new object. To retrieve an instance of an existing Active Directory object, use a cmdlet such as Get-ADObject. Then provide this object to the Instance parameter of the New-ADObject cmdlet to create a new Active Directory object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADObject -Identity saraDavisDesktop </maml:para><maml:para>New-ADObject -Name "ellenAdamsDesktop" -Instance $ObjectInstance -Type "computer" </maml:para><maml:para>Method 2: Create a new ADObject and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADObject cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADObject $objectInstance.Description = "Ellen Adams New Computer" New-ADObject -Name ellenAdamsDesktop -Instance $ObjectInstance -Type computer </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationConnection</command:parameterValue><dev:type><maml:name>ADReplicationConnection</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicateFromDirectoryServer</maml:name><maml:description><maml:para>Specifies the domain controller to use as a source for this replication connection. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue><dev:type><maml:name>ADDirectoryServer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Specifies the schedule on which the source server is available for replication. </maml:para><maml:para>Replication occurs at intervals that administrators can schedule so that use of expensive WAN links is managed. Use this parameter to specify the replication intervals. For more information on how replication topology works, go to http://go.microsoft.com/fwlink/?LinkId=223932. </maml:para><maml:para>To specify the replication schedule, </maml:para><maml:para>1. Create a new Active Directory schedule object. </maml:para><maml:para>Example: </maml:para><maml:para>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; </maml:para><maml:para>2. Edit the schedule on the Active Directory schedule object. </maml:para><maml:para>Example: </maml:para><maml:para>$schedule.ResetSchedule(); </maml:para><maml:para>$schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); </maml:para><maml:para>3. Using the Active Directory schedule object, set the replication schedule of the connection </maml:para><maml:para>Set-ADReplicationConnection "5f98e288-19e0-47a0-9677-57f05ed54f6b" -ReplicationSchedule $schedule </maml:para><maml:para>For more information on the ActiveDirectorySchedule class, go to http://go.microsoft.com/fwlink/?LinkId=223933. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue><dev:type><maml:name>ActiveDirectorySchedule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationConnection</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A connection object is received by the Identity parameter. </maml:para><maml:para>A connection object that was retrieved by using the Get-ADReplicationConnection cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationConnection</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADReplicationConnection "5f98e288-19e0-47a0-9677-57f05ed54f6b" -ReplicateFromDirectoryServer corp-DC01 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the replication connection with name '5f98e288-19e0-47a0-9677-57f05ed54f6b' to replicate from corp-DC01. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; $schedule.ResetSchedule(); $schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); Get-ADReplicationConnection -Filter {ReplicateFromDirectoryServer -eq "corp-DC01"} -Properties ReplicationSchedule | % {Set-ADReplicationConnection $_ - ReplicationSchedule $schedule} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the replication connections in the directory that replicate from corp-DC01. Set the daily replication schedule on these connection objects. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291124</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationConnection</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADReplicationSite</command:name><maml:description><maml:para>Sets the replication properties for an Active Directory site.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADReplicationSite</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADReplicationSite cmdlet is used to set the properties for an Active Directory site that is being used for replication. Sites are used in Active Directory to either enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce network traffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADReplicationSite</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AutomaticInterSiteTopologyGenerationEnabled</maml:name><maml:description><maml:para>Prevents the KCC that functions as the intersite topology generator (ISTG) from generating connections for intersite replication. Use this option when you want to create manual intersite connections (disable the ISTG) but retain the KCC to generate intrasite connections. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AutomaticTopologyGenerationEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from generating intrasite connections on all servers in the site. Disable this option if you use manual connections and do not want the KCC to build connections automatically. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>InterSiteTopologyGenerator</maml:name><maml:description><maml:para>The server acting as the inter-site topology generator for this site. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RedundantServerTopologyEnabled</maml:name><maml:description><maml:para>Creates redundant connections between sites before a failure takes place. When enabled, disables KCC failover. Requires that automatic detection of failed connections also be disabled (+IS_TOPL_DETECT_STALE_DISABLED). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Default replication schedule for connections within this site (intra-site replication). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ScheduleHashingEnabled</maml:name><maml:description><maml:para>Spreads replication start times randomly across the entire schedule interval rather than just the first quarter of the interval. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TopologyCleanupEnabled</maml:name><maml:description><maml:para>When enabled, this optional parameter prevents the Kerberos consistency checker (KCC) from removing connection objects that it does not need. Disable this option if you want to take responsibility for removing old redundant connections. Alternatively, to control or augment the topology, you can use manual connections, which the KCC does not delete. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TopologyDetectStaleEnabled</maml:name><maml:description><maml:para>This parameter option prevents the Kerberos consistency checker (KCC) from excluding servers that are unreachable from the topology; that is, the KCC does use an alternate server to reroute replication. Use this option only if network communication is very unstable and brief outages are expected. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TopologyMinimumHopsEnabled</maml:name><maml:description><maml:para>When enabled, this parameter prevents the Kerberos consistency checker (KCC) from generating optimizing connections in the ring topology of intrasite replication. Optimizing connections reduce the replication latency in the site and disabling them is not recommended. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UniversalGroupCachingEnabled</maml:name><maml:description><maml:para>If this parameter is true, it indicates this site caches universal groups, which are those groups cached on global catalog (GC) servers. It can be useful in sites with no GC servers available locally. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UniversalGroupCachingRefreshSite</maml:name><maml:description><maml:para>If universal group caching is enabled, this parameter sets the name of the site from which the cache is pulled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2000BridgeheadSelectionMethodEnabled</maml:name><maml:description><maml:para>Implements the Windows 2000 Server method of selecting a single bridgehead server per directory partition and transport. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2000KCCISTGSelectionBehaviorEnabled</maml:name><maml:description><maml:para>When enabled, this parameter implements the Windows 2000 Server method of Intersite Topology Generator (ISTG) selection. By default, it is disabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2003KCCBehaviorEnabled</maml:name><maml:description><maml:para>Implements Kerberos consistency checker (KCC) operation that is consistent with Windows Server 2003 forest functional level. This option can be set if all domain controllers in the site are running Windows Server 2003. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2003KCCIgnoreScheduleEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides KCC control of the ability to ignore schedules (replication occurs at the designated intervals and is always available). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2003KCCSiteLinkBridgingEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides Kerberos consistency checker (KCC) control of the ability to enable or disable site link bridging. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADReplicationSite</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site object to use as a template for a new site object. </maml:para><maml:para>You can use an instance of an existing site object as a template or you can construct a new site object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site object. </maml:para><maml:para>Method 1: Use an existing site object as a template for a new object. To retrieve an instance of an existing site object, use a cmdlet such as Get-ADReplicationSite. Then provide this object to the Instance parameter of the New-ADReplicationSite cmdlet to create a new site object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSite -Identity NorthAmerica </maml:para><maml:para>New-ADReplicationSite -Name "SouthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSite and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSite cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSite </maml:para><maml:para>$objectInstance.Description = North America" </maml:para><maml:para>New-ADReplicationSite -Name "NorthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AutomaticInterSiteTopologyGenerationEnabled</maml:name><maml:description><maml:para>Prevents the KCC that functions as the intersite topology generator (ISTG) from generating connections for intersite replication. Use this option when you want to create manual intersite connections (disable the ISTG) but retain the KCC to generate intrasite connections. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AutomaticTopologyGenerationEnabled</maml:name><maml:description><maml:para>When enabled, prevents the KCC from generating intrasite connections on all servers in the site. Disable this option if you use manual connections and do not want the KCC to build connections automatically. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site object to use as a template for a new site object. </maml:para><maml:para>You can use an instance of an existing site object as a template or you can construct a new site object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site object. </maml:para><maml:para>Method 1: Use an existing site object as a template for a new object. To retrieve an instance of an existing site object, use a cmdlet such as Get-ADReplicationSite. Then provide this object to the Instance parameter of the New-ADReplicationSite cmdlet to create a new site object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSite -Identity NorthAmerica </maml:para><maml:para>New-ADReplicationSite -Name "SouthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSite and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSite cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSite </maml:para><maml:para>$objectInstance.Description = North America" </maml:para><maml:para>New-ADReplicationSite -Name "NorthAmerica" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>InterSiteTopologyGenerator</maml:name><maml:description><maml:para>The server acting as the inter-site topology generator for this site. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADDirectoryServer</command:parameterValue><dev:type><maml:name>ADDirectoryServer</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ManagedBy</maml:name><maml:description><maml:para>Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-ManagedBy ContosoAdmins </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADPrincipal</command:parameterValue><dev:type><maml:name>ADPrincipal</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>RedundantServerTopologyEnabled</maml:name><maml:description><maml:para>Creates redundant connections between sites before a failure takes place. When enabled, disables KCC failover. Requires that automatic detection of failed connections also be disabled (+IS_TOPL_DETECT_STALE_DISABLED). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Default replication schedule for connections within this site (intra-site replication). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue><dev:type><maml:name>ActiveDirectorySchedule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ScheduleHashingEnabled</maml:name><maml:description><maml:para>Spreads replication start times randomly across the entire schedule interval rather than just the first quarter of the interval. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TopologyCleanupEnabled</maml:name><maml:description><maml:para>When enabled, this optional parameter prevents the Kerberos consistency checker (KCC) from removing connection objects that it does not need. Disable this option if you want to take responsibility for removing old redundant connections. Alternatively, to control or augment the topology, you can use manual connections, which the KCC does not delete. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TopologyDetectStaleEnabled</maml:name><maml:description><maml:para>This parameter option prevents the Kerberos consistency checker (KCC) from excluding servers that are unreachable from the topology; that is, the KCC does use an alternate server to reroute replication. Use this option only if network communication is very unstable and brief outages are expected. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TopologyMinimumHopsEnabled</maml:name><maml:description><maml:para>When enabled, this parameter prevents the Kerberos consistency checker (KCC) from generating optimizing connections in the ring topology of intrasite replication. Optimizing connections reduce the replication latency in the site and disabling them is not recommended. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UniversalGroupCachingEnabled</maml:name><maml:description><maml:para>If this parameter is true, it indicates this site caches universal groups, which are those groups cached on global catalog (GC) servers. It can be useful in sites with no GC servers available locally. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UniversalGroupCachingRefreshSite</maml:name><maml:description><maml:para>If universal group caching is enabled, this parameter sets the name of the site from which the cache is pulled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2000BridgeheadSelectionMethodEnabled</maml:name><maml:description><maml:para>Implements the Windows 2000 Server method of selecting a single bridgehead server per directory partition and transport. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2000KCCISTGSelectionBehaviorEnabled</maml:name><maml:description><maml:para>When enabled, this parameter implements the Windows 2000 Server method of Intersite Topology Generator (ISTG) selection. By default, it is disabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2003KCCBehaviorEnabled</maml:name><maml:description><maml:para>Implements Kerberos consistency checker (KCC) operation that is consistent with Windows Server 2003 forest functional level. This option can be set if all domain controllers in the site are running Windows Server 2003. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2003KCCIgnoreScheduleEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides KCC control of the ability to ignore schedules (replication occurs at the designated intervals and is always available). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>WindowsServer2003KCCSiteLinkBridgingEnabled</maml:name><maml:description><maml:para>When the forest functional level Windows Server 2003 or Windows Server 2003 interim is in effect, provides Kerberos consistency checker (KCC) control of the ability to enable or disable site link bridging. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site object is received by the Identity parameter. </maml:para><maml:para>A site object that was retrieved by using the Get-ADReplicationSite cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSite</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADReplicationSite NorthAmerica -InterSiteTopologyGenerator corp-DC02 -AutomaticInterSiteTopologyGenerationEnabled $false </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the properties of the site with name 'NorthAmerica' to prevent its intersite topology generator (ISTG) at ‘corp-DC02’ from generating connections for intersite replication. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSite -Filter * | % {Set-ADReplicationSite $_ -ScheduleHashingEnabled $true} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Returns all the sites in the directory and sets the ScheduleHashingEnabled propertyto spread replication start times randomly across the entire schedule interval rather than just the first quarter of the interval.. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; $schedule.ResetSchedule(); $schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); Set-ADReplicationSite "Asia" -ReplicationSchedule $schedule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the daily replication schedule of the site with name 'Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291125</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSite</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADReplicationSiteLink</command:name><maml:description><maml:para>Sets the properties for an Active Directory site link.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADReplicationSiteLink</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADReplicationSiteLink cmdlet can be used to set properties on an Active Directory site link. A site link connects two or more sites. Site links reflect the administrative policy for how sites are to be interconnected and the methods used to transfer replication traffic. You must connect sites with site links so that domain controllers at each site can replicate Active Directory changes. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADReplicationSiteLink</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-SouthAmerica,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Cost</maml:name><maml:description><maml:para>Specifies the cost to be placed on the site link. For more information on determining the cost, see the following topic called "Determining the Cost" in the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=221871 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationFrequencyInMinutes</maml:name><maml:description><maml:para>Species the frequency (in minutes) for which replication will occur where this site link is in use between sites. Active Directory preserves bandwidth between sites by minimizing the frequency of replication and by allowing you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your specific needs. Be aware that increasing this frequency increases the amount of bandwidth used by replication. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Specifies the default replication schedule for any connections within this site link (intra-site replication). This allows you to schedule the availability of site links for use by replication. By default, a site link is available to carry replication traffic 24 hours a day, 7 days a week. You can limit this schedule to specific days of the week and times of day. You can, for example, schedule intersite replication so that it only occurs after normal business hours. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SitesIncluded</maml:name><maml:description><maml:para>Specifies the list of sites included in the site link. For Set-ADReplicationSiteLink operations, you can add or include new sites within an existing site link by specifying them using this parameter. You do not have to specify all previously listed sites already within this link. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADReplicationSiteLink</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link object to use as a template for a new site link object. </maml:para><maml:para>You can use an instance of an existing site link object as a template or you can construct a new site link object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link object. </maml:para><maml:para>Method 1: Use an existing site link object as a template for a new object. To retrieve an instance of an existing site link object, use a cmdlet such as Get-ADReplicationSiteLink. Then provide this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create a new site link object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLink -Identity "NorthAmerica-SouthAmerica" </maml:para><maml:para>New-ADReplicationSiteLink -Name "Europe-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLink and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLink </maml:para><maml:para>$objectInstance.Description = "Between North America and South America." </maml:para><maml:para>New-ADReplicationSiteLink -Name "NorthAmerica-SouthAmerica"-Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Cost</maml:name><maml:description><maml:para>Specifies the cost to be placed on the site link. For more information on determining the cost, see the following topic called "Determining the Cost" in the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=221871 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-SouthAmerica,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue><dev:type><maml:name>ADReplicationSiteLink</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link object to use as a template for a new site link object. </maml:para><maml:para>You can use an instance of an existing site link object as a template or you can construct a new site link object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link object. </maml:para><maml:para>Method 1: Use an existing site link object as a template for a new object. To retrieve an instance of an existing site link object, use a cmdlet such as Get-ADReplicationSiteLink. Then provide this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create a new site link object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLink -Identity "NorthAmerica-SouthAmerica" </maml:para><maml:para>New-ADReplicationSiteLink -Name "Europe-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLink and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLink cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLink </maml:para><maml:para>$objectInstance.Description = "Between North America and South America." </maml:para><maml:para>New-ADReplicationSiteLink -Name "NorthAmerica-SouthAmerica"-Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLink</command:parameterValue><dev:type><maml:name>ADReplicationSiteLink</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationFrequencyInMinutes</maml:name><maml:description><maml:para>Species the frequency (in minutes) for which replication will occur where this site link is in use between sites. Active Directory preserves bandwidth between sites by minimizing the frequency of replication and by allowing you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your specific needs. Be aware that increasing this frequency increases the amount of bandwidth used by replication. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Int32</command:parameterValue><dev:type><maml:name>Int32</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ReplicationSchedule</maml:name><maml:description><maml:para>Specifies the default replication schedule for any connections within this site link (intra-site replication). This allows you to schedule the availability of site links for use by replication. By default, a site link is available to carry replication traffic 24 hours a day, 7 days a week. You can limit this schedule to specific days of the week and times of day. You can, for example, schedule intersite replication so that it only occurs after normal business hours. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ActiveDirectorySchedule</command:parameterValue><dev:type><maml:name>ActiveDirectorySchedule</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SitesIncluded</maml:name><maml:description><maml:para>Specifies the list of sites included in the site link. For Set-ADReplicationSiteLink operations, you can add or include new sites within an existing site link by specifying them using this parameter. You do not have to specify all previously listed sites already within this link. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link object is received by the Identity parameter. </maml:para><maml:para>A site link object that was retrieved by using the Get-ADReplicationSitLink cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLink</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADReplicationSiteLink "Europe-Asia" -SitesIncluded @{Add="Asia2";Remove="Asia"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Add site 'Asia2' to the site link 'Europe-Asia', and remove site 'Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLink -Filter {ReplicationFrequencyInMinutes -ge 60} -Properties Cost | % {Set-ADReplicationSiteLink $_ -Cost 200} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the site links in the directory with replication frequency greater than or equal to 60 minutes. Set the Cost property on these site link objects to 200. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> C:\PS>$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule; $schedule.ResetSchedule(); $schedule.SetDailySchedule("Twenty","Zero","TwentyTwo","Thirty"); Set-ADReplicationSiteLink "NorthAmerica-SouthAmerica" -ReplicationSchedule $schedule </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the daily replication schedule of the site link with name 'NorthAmerica-SouthAmerica'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADReplicationSiteLink "Europe-Asia" -Replace @{'options'=1} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Enable change notification on the site link with name 'Europe-Asia'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291126</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSiteLink</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADReplicationSiteLinkBridge</command:name><maml:description><maml:para>Sets the properties of a replication site link bridge in Active Directory.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADReplicationSiteLinkBridge</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADReplicationSiteLinkBridge object sets the properties for a replication site link bridge in Active Directory. A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADReplicationSiteLinkBridge</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-Asia,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteLinksIncluded</maml:name><maml:description><maml:para>Specifies the list of site links that are included in this site link bridge. Accepted values for this parameter are the distinguished name (DN), a GUID, or the name of a site link. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADReplicationSiteLinkBridge</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link bridge object to use as a template for a new site link bridge object. </maml:para><maml:para>You can use an instance of an existing site link bridge object as a template or you can construct a new site link bridge object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link bridge object. </maml:para><maml:para>Method 1: Use an existing site link bridge object as a template for a new object. To retrieve an instance of an existing site link bridge object, use a cmdlet such as Get-ADReplicationSiteLinkBridge. Then provide this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create a new site link bridge object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLinkBridge -Identity "NorthAmerica-Asia" </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "SouthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLinkBridge and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge </maml:para><maml:para>$objectInstance.Description = Between North America and Asia." </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "NorthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=NorthAmerica-Asia,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue><dev:type><maml:name>ADReplicationSiteLinkBridge</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a site link bridge object to use as a template for a new site link bridge object. </maml:para><maml:para>You can use an instance of an existing site link bridge object as a template or you can construct a new site link bridge object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new site link bridge object. </maml:para><maml:para>Method 1: Use an existing site link bridge object as a template for a new object. To retrieve an instance of an existing site link bridge object, use a cmdlet such as Get-ADReplicationSiteLinkBridge. Then provide this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create a new site link bridge object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSiteLinkBridge -Identity "NorthAmerica-Asia" </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "SouthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSiteLinkBridge and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSiteLinkBridge cmdlet to create the new Active Directory object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge </maml:para><maml:para>$objectInstance.Description = Between North America and Asia." </maml:para><maml:para>New-ADReplicationSiteLinkBridge -Name "NorthAmerica-Asia" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSiteLinkBridge</command:parameterValue><dev:type><maml:name>ADReplicationSiteLinkBridge</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SiteLinksIncluded</maml:name><maml:description><maml:para>Specifies the list of site links that are included in this site link bridge. Accepted values for this parameter are the distinguished name (DN), a GUID, or the name of a site link. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A site link bridge object is received by the Identity parameter. </maml:para><maml:para>A site link bridge object that was retrieved by using the Get-ADReplicationSiteLinkBridge cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSiteLinkBridge</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADReplicationSiteLinkBridge "NorthAmerica-Asia" -SiteLinksIncluded @{Add='NorthAmerica-Europe2','Europe2-Asia';Remove='NorthAmerica-Europe','Europe-Asia'} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Update the site link bridge 'NorthAmerica-Asia' to use 'Europe2' instead of 'Europe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSiteLinkBridge -Filter {SiteLinksIncluded -eq "NorthAmerica-Europe" -and SiteLinksIncluded -eq "Europe-Asia"} -Properties SiteLinksIncluded | % {Set-ADReplicationSiteLinkBridge $_ -SiteLinksIncluded @{Add='NorthAmerica-Europe2','Europe2-Asia';Remove='NorthAmerica-Europe','Europe-Asia'}} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the site link bridges in the directory that includes site links 'NorthAmerica-Europe' and 'Europe-Asia'. Update the site link bridge objects to use 'Europe2' instead of 'Europe'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291127</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSiteLinkBridge</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADReplicationSubnet</command:name><maml:description><maml:para>Sets the properties of an Active Directory replication subnet object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADReplicationSubnet</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADReplicationSubnet cmdlet sets the properties of an Active Directory replication subnet object. Subnet objects (class subnet) define network subnets in Active Directory. A network subnet is a segment of a TCP/IP network to which a set of logical IP addresses is assigned. Subnets group computers in a way that identifies their physical proximity on the network. Subnet objects in Active Directory are used to map computers to sites. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADReplicationSubnet</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=10.0.0.0/25,CN=Subnets,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>Can be used to describe the physical location of this subnet. This value may be displayed or made visible when the subnet object appears in other Active Directory administrative tools. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Site</maml:name><maml:description><maml:para>Specifies the site associated with this subnet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADReplicationSubnet</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a subnet object to use as a template for a new subnet object. </maml:para><maml:para>You can use an instance of an existing subnet object as a template or you can construct a new subnet object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new subnet object. </maml:para><maml:para>Method 1: Use an existing subnet object as a template for a new object. To retrieve an instance of an existing subnet object, use a cmdlet such as Get-ADReplicationSubnet. Then provide this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create a new subnet object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSubnet -Identity "10.0.0.0/25" </maml:para><maml:para>New-ADReplicationSubnet -Name "12.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSubnet and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create the new subnet object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSubnet </maml:para><maml:para>$objectInstance.Description = Branch office subnet" </maml:para><maml:para>New-ADReplicationSubnet -Name "10.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=10.0.0.0/25,CN=Subnets,CN=Sites,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue><dev:type><maml:name>ADReplicationSubnet</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a subnet object to use as a template for a new subnet object. </maml:para><maml:para>You can use an instance of an existing subnet object as a template or you can construct a new subnet object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new subnet object. </maml:para><maml:para>Method 1: Use an existing subnet object as a template for a new object. To retrieve an instance of an existing subnet object, use a cmdlet such as Get-ADReplicationSubnet. Then provide this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create a new subnet object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADReplicationSubnet -Identity "10.0.0.0/25" </maml:para><maml:para>New-ADReplicationSubnet -Name "12.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADReplicationSubnet and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADReplicationSubnet cmdlet to create the new subnet object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADReplicationSubnet </maml:para><maml:para>$objectInstance.Description = Branch office subnet" </maml:para><maml:para>New-ADReplicationSubnet -Name "10.0.0.0/25" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSubnet</command:parameterValue><dev:type><maml:name>ADReplicationSubnet</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Location</maml:name><maml:description><maml:para>Can be used to describe the physical location of this subnet. This value may be displayed or made visible when the subnet object appears in other Active Directory administrative tools. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Site</maml:name><maml:description><maml:para>Specifies the site associated with this subnet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADReplicationSite</command:parameterValue><dev:type><maml:name>ADReplicationSite</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A subnet object is received by the Identity parameter. </maml:para><maml:para>A subnet object that was retrieved by using the Get-ADReplicationSubnet cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADReplicationSubnet</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADReplicationSubnet "10.0.0.12/22" -Site Asia -Location "Tokyo,Japan" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the properties of the subnet named '10.0.0.12/22'. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADReplicationSubnet -Filter {Location -like "*Japan"} -Properties Site | % {Set-ADReplicationSubnet $_ -Site Asia} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the subnets in the directory that are in Japan, and set 'Asia' as their associated site. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291128</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADReplicationSubnet</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADResourceProperty</command:name><maml:description><maml:para>Modifies a resource property in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADResourceProperty</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADResourceProperty cmdlet can be used to modify a resource property in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADResourceProperty</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToResourceTypes</maml:name><maml:description><maml:para>Specifies the list of resource types that this property applies to. For Set-ADResourceProperty operations, you can add or include new resource types within an existing property by specifying them using this parameter. You do not have to specify all previously listed resource types already within this property. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Displays the name of the resource property. The display name of the resource property must be unique. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the resource property is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SharesValuesWith</maml:name><maml:description><maml:para>Use this parameter to create a reference resource property. Reference resource properties do not provide their own suggested values, but rather use the suggested values from the claim type object specified in this parameter. This enables the resource property to be always valid for comparisons with the referred claim type in a central access rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the resource property. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$us = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US", "United States of America", "United States of America"); </maml:para><maml:para>$jp = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP", "Japan", "Japan"); </maml:para><maml:para>New-ADResourceProperty Country -ResourcePropertyValueType MS-DS-MultivaluedChoice -SuggestedValues $us,$jp </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADResourceProperty</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a resource property object to use as a template for a new resource property object. </maml:para><maml:para>You can use an instance of an existing resource property object as a template or you can construct a new resource property object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property object. </maml:para><maml:para>Method 1: Use an existing resource property object as a template for a new object. To retrieve an instance of an existing resource property object, use a cmdlet such as Get-ADResourceProperty. Then provide this object to the Instance parameter of the New-ADResourceProperty cmdlet to create a new resource property object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourceProperty -Identity "Country" </maml:para><maml:para>New-ADResourceProperty -Name "Region" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourceProperty and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourceProperty cmdlet to create the new resource property object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourceProperty </maml:para><maml:para>$objectInstance.Description = "Non-Disclosure Agreement (NDA)" </maml:para><maml:para>New-ADResourceProperty -Name "NDA" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AppliesToResourceTypes</maml:name><maml:description><maml:para>Specifies the list of resource types that this property applies to. For Set-ADResourceProperty operations, you can add or include new resource types within an existing property by specifying them using this parameter. You do not have to specify all previously listed resource types already within this property. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Displays the name of the resource property. The display name of the resource property must be unique. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if the resource property is enabled. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue><dev:type><maml:name>ADResourceProperty</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a resource property object to use as a template for a new resource property object. </maml:para><maml:para>You can use an instance of an existing resource property object as a template or you can construct a new resource property object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property object. </maml:para><maml:para>Method 1: Use an existing resource property object as a template for a new object. To retrieve an instance of an existing resource property object, use a cmdlet such as Get-ADResourceProperty. Then provide this object to the Instance parameter of the New-ADResourceProperty cmdlet to create a new resource property object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourceProperty -Identity "Country" </maml:para><maml:para>New-ADResourceProperty -Name "Region" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourceProperty and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourceProperty cmdlet to create the new resource property object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourceProperty </maml:para><maml:para>$objectInstance.Description = "Non-Disclosure Agreement (NDA)" </maml:para><maml:para>New-ADResourceProperty -Name "NDA" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourceProperty</command:parameterValue><dev:type><maml:name>ADResourceProperty</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SharesValuesWith</maml:name><maml:description><maml:para>Use this parameter to create a reference resource property. Reference resource properties do not provide their own suggested values, but rather use the suggested values from the claim type object specified in this parameter. This enables the resource property to be always valid for comparisons with the referred claim type in a central access rule. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADClaimType</command:parameterValue><dev:type><maml:name>ADClaimType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SuggestedValues</maml:name><maml:description><maml:para>Specifies one or more suggested values for the resource property. An application may choose to present this list of suggested values for the user to choose from. When RestrictValues is set to true, the application should restrict the user to pick values from this list only. </maml:para><maml:para>Example: </maml:para><maml:para>$us = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US", "United States of America", "United States of America"); </maml:para><maml:para>$jp = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP", "Japan", "Japan"); </maml:para><maml:para>New-ADResourceProperty Country -ResourcePropertyValueType MS-DS-MultivaluedChoice -SuggestedValues $us,$jp </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADSuggestedValueEntry[]</command:parameterValue><dev:type><maml:name>ADSuggestedValueEntry[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADResourceProperty</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$us = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US", "United States of America", "United States of America"); $jp = New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP", "Japan", "Japan"); Set-ADResourceProperty Country -SuggestedValues $us,$jp </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the suggested values of the resource property with display name 'Country' to 'US' and 'JP'. Applications using this resource property would allow their users to specify one of the suggested values as this resource property's value. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADResourceProperty Country -SharesValuesWith Country </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the resource property with display name 'Country' to reference an existing claim type named 'Country' for its suggested values. This enables the resource property to be always valid for comparisons with the referenced claim type in a central access rule. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291129</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADResourcePropertyList</command:name><maml:description><maml:para>Modifies a resource property list in Active Directory. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADResourcePropertyList</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADResourcePropertyList cmdlet can be used to modify a resource property list in Active Directory. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADResourcePropertyList</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADResourcePropertyList</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a resource property list object to use as a template for a new resource property list object. </maml:para><maml:para>You can use an instance of an existing resource property list object as a template or you can construct a resource property list object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property list object. </maml:para><maml:para>Method 1: Use an existing resource property list object as a template for a new object. To retrieve an instance of an existing resource property list object, use a cmdlet such as Get-ADResourcePropertyList. Then provide this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create a new resource property list object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourcePropertyList -Identity "Global Resource Property list" </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourcePropertyList and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create the new resource property list object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourcePropertyList </maml:para><maml:para>$objectInstance.Description = "For finance use only." </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an instance of a resource property list object to use as a template for a new resource property list object. </maml:para><maml:para>You can use an instance of an existing resource property list object as a template or you can construct a resource property list object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create a new resource property list object. </maml:para><maml:para>Method 1: Use an existing resource property list object as a template for a new object. To retrieve an instance of an existing resource property list object, use a cmdlet such as Get-ADResourcePropertyList. Then provide this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create a new resource property list object. You can override property values of the new object by setting the appropriate parameters. </maml:para><maml:para>$objectInstance = Get-ADResourcePropertyList -Identity "Global Resource Property list" </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Method 2: Create a new ADResourcePropertyList and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADResourcePropertyList cmdlet to create the new resource property list object. </maml:para><maml:para>$objectInstance = new-object Microsoft.ActiveDirectory.Management.ADResourcePropertyList </maml:para><maml:para>$objectInstance.Description = "For finance use only." </maml:para><maml:para>New-ADResourcePropertyList -Name "Finance Resource Property List" -Instance $ObjectInstance </maml:para><maml:para>Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADResourcePropertyList</command:parameterValue><dev:type><maml:name>ADResourcePropertyList</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProtectedFromAccidentalDeletion</maml:name><maml:description><maml:para>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-ProtectedFromAccidentalDeletion $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTypeList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADClaimTypeList</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADResourcePropertyList "Corporate Resource Property List" -Description "For corporate documents." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the resource property list named "Corporate Resource Property List" with the description "For corporate documents." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADResourcePropertyList "Corporate Resource Property List" | Set-ADResourcePropertyList -Description "For corporate documents." </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Gets the resource property list named "Corporate Resource Property List" and then sets its description to "For corporate documents." </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291130</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADServiceAccount</command:name><maml:description><maml:para>Modifies an Active Directory managed service account or group managed service account object.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory managed service account (MSA). You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory MSA to modify. You can identify a MSA by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a MSA object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update a MSA object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory MSA object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original MSA object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter, see the Instance parameter description. </maml:para><maml:para>For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance. </maml:para><maml:para>The following examples show how to modify the ServicePrincipalNames property of a MSA object by using three methods: </maml:para><maml:para>-By specifying the Identity and the ServicePrincipalNames parameters </maml:para><maml:para>-By passing a service account object through the pipeline and specifying the ServicePrincipalNames parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the ServicePrincipalNames property for the AccessIndia MSA by using the Identity and ServicePrincipalNames parameters. </maml:para><maml:para>Set-ADServiceAccount -Identity AccessIndia -ServicePrincipalNames @{Add=ACCESSAPP/india.contoso.com} </maml:para><maml:para>Method 2: Modify the ServicePrincipalNames property for the AccessIndia MSA by passing the AccessIndia MSA through the pipeline and specifying the ServicePrincipalNames parameter. </maml:para><maml:para>Get-ADServiceAccount -Identity "AccessIndia" | Set-ADServiceAccount -ServicePrincipalNames @{Add=ACCESSAPP/india.contoso.com} </maml:para><maml:para>Method 3: Modify the <property> property for the AccessIndia MSA by using the Windows PowerShell command line to modify a local instance of the AccessIndia MSA. Then set the Instance parameter to the local instance. </maml:para><maml:para>$serviceAccount = Get-ADServiceAccount -Identity "AccessIndia" </maml:para><maml:para>$serviceAccount.ServicePrincipalNames = @{Add=ACCESSAPP/india.contoso.com} </maml:para><maml:para>Set-ADServiceAccount -Instance $serviceAccount. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the DNS host name. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4,AES128,AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToRetrieveManagedPassword</maml:name><maml:description><maml:para>Specifies the membership policy for systems which can use a group managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group managed service account object. This parameter should be set to the principals allowed to use this group managed service account. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADServiceAccount</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a service account object to use to update the actual Active Directory service account object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update service account objects that have been retrieved by using the Get-ADServiceAccount cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADServiceAccount cmdlet to retrieve an instance of the ADServiceAccount object. The object is modified by using the Windows PowerShell command line. Then the Set-ADServiceAccount cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$serviceAccountInstance = Get-ADServiceAccount -Identity ADServiceAdmin </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$serviceAccountInstance.Description = "default" </maml:para><maml:para>Step3: Save your changes to ADServiceAdmin. </maml:para><maml:para>Set-ADServiceAccount -Instance $serviceAccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DNSHostName</maml:name><maml:description><maml:para>Specifies the DNS host name. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies a modified copy of a service account object to use to update the actual Active Directory service account object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The Instance parameter can only update service account objects that have been retrieved by using the Get-ADServiceAccount cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADServiceAccount cmdlet to retrieve an instance of the ADServiceAccount object. The object is modified by using the Windows PowerShell command line. Then the Set-ADServiceAccount cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$serviceAccountInstance = Get-ADServiceAccount -Identity ADServiceAdmin </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$serviceAccountInstance.Description = "default" </maml:para><maml:para>Step3: Save your changes to ADServiceAdmin. </maml:para><maml:para>Set-ADServiceAccount -Instance $serviceAccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4,AES128,AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADKerberosEncryptionType</command:parameterValue><dev:type><maml:name>ADKerberosEncryptionType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToRetrieveManagedPassword</maml:name><maml:description><maml:para>Specifies the membership policy for systems which can use a group managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group managed service account object. This parameter should be set to the principals allowed to use this group managed service account. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. </maml:para><maml:para>A managed service account object that was retrieved by using the Get-ADServiceAccount cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified managed service account object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADServiceAccount service1 -Description "Secretive Data Server" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the description of Managed Service Account 'service1' to "Secretive Data Server" </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADServiceAccount Mongol01ADAM -ServicePrincipalNames @{replace="ADAMwdb/a.contoso.com", "ADAMbdb/a.contoso.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Replace the value of property ServicePrincipalNames with "ADAMwdb/a.contoso.com", "ADAMbdb/a.contoso.com" </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADServiceAccount service1 -PrincipalsAllowedToRetrieveManagedPassword "MsaAdmins.corp.contoso.com" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Sets the principals allowed to retrieve the password for this managed service account to be limited to only members of the specified Active Directory group account. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291131</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Install-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Uninstall-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Set-ADUser</command:name><maml:description><maml:para>Modifies an Active Directory user.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Set</command:verb><command:noun>ADUser</command:noun><dev:version /></command:details><maml:description><maml:para>The Set-ADUser cmdlet modifies the properties of an Active Directory user. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. </maml:para><maml:para>The Identity parameter specifies the Active Directory user to modify. You can identify a user by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localUserObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Set-ADUser cmdlet. </maml:para><maml:para>The Instance parameter provides a way to update a user object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory user object that has been modified, the Set-ADUser cmdlet makes the same changes to the original user object. To get a copy of the object to modify, use the Get-ADUser object. The Identity parameter is not allowed when you use the Instance parameter. For more information about the Instance parameter, see the Instance parameter description. For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance. </maml:para><maml:para>Accounts created with the New-ADUser cmdlet will be disabled if no password is provided. </maml:para><maml:para>The following examples show how to modify the Manager property of a user object by using three methods: </maml:para><maml:para>-By specifying the Identity and the Manager parameters </maml:para><maml:para>-By passing a user object through the pipeline and specifying the Manager parameter </maml:para><maml:para>-By specifying the Instance parameter. </maml:para><maml:para>Method 1: Modify the Manager property for the "saraDavis" user by using the Identity and Manager parameters. </maml:para><maml:para>Set-ADUser -Identity "saraDavis" -Manager "JimCorbin" </maml:para><maml:para>Method 2: Modify the Manager property for the "saraDavis" user by passing the "saraDavis" user through the pipeline and specifying the Manager parameter. </maml:para><maml:para>Get-ADUser -Identity "saraDavis" | Set-ADUser -Manager "JimCorbin" </maml:para><maml:para>Method 3: Modify the Manager property for the "saraDavis" user by using the Windows PowerShell command line to modify a local instance of the "saraDavis" user. Then set the Instance parameter to the local instance. </maml:para><maml:para>$user = Get-ADUser -Identity "saraDavis" </maml:para><maml:para>$user.Manager = "JimCorbin" </maml:para><maml:para>Set-ADUser -Instance $user. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except in the following two conditions: </maml:para><maml:para>-The cmdlet is run from an Active Directory provider drive. </maml:para><maml:para>-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Set-ADUser</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Company</maml:name><maml:description><maml:para>Specifies the user's company. This parameter sets the Company property of a user object. The LDAP display name (ldapDisplayName) of this property is "company". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Company "Contoso" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Department</maml:name><maml:description><maml:para>Specifies the user's department. This parameter sets the Department property of a user. The LDAP Display Name (ldapDisplayName) of this property is "department". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Department "Development" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Division</maml:name><maml:description><maml:para>Specifies the user's division. This parameter sets the Division property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "division". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Division "Software" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EmailAddress</maml:name><maml:description><maml:para>Specifies the user's e-mail address. This parameter sets the EmailAddress property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mail". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmailAddress "saradavis@contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EmployeeID</maml:name><maml:description><maml:para>Specifies the user's employee ID. This parameter sets the EmployeeID property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeID". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmployeeID "A123456" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EmployeeNumber</maml:name><maml:description><maml:para>Specifies the user's employee number. This parameter sets the EmployeeNumber property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeNumber". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-EmployeeNumber "12345678" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Fax</maml:name><maml:description><maml:para>Specifies the user's fax phone number. This parameter sets the Fax property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "facsimileTelephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Fax "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GivenName</maml:name><maml:description><maml:para>Specifies the user's given name. This parameter sets the GivenName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "givenName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-givenName "Sanjay" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomeDirectory</maml:name><maml:description><maml:para>Specifies a user's home directory. This parameter sets the HomeDirectory property of a user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDirectory". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDirectory "\\users\saraDavisHomeDir" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomeDrive</maml:name><maml:description><maml:para>Specifies a drive that is associated with the UNC path defined by the HomeDirectory property. The drive letter is specified as "<DriveLetter>:" where <DriveLetter> indicates the letter of the drive to associate. The <DriveLetter> must be a single, uppercase letter and the colon is required. This parameter sets the HomeDrive property of the user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDrive". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDrive "D:" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePhone</maml:name><maml:description><maml:para>Specifies the user's home telephone number. This parameter sets the HomePhone property of a user. The LDAP Display Name (ldapDisplayName) of this property is "homePhone". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Initials</maml:name><maml:description><maml:para>Specifies the initials that represent part of a user's name. You can use this value for the user's middle initial. This parameter sets the Initials property of a user. The LDAP Display Name (ldapDisplayName) of this property is "initials". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Initials "L" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account resulting the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">None</command:parameterValue><command:parameterValue required="true" variableLength="false">DES</command:parameterValue><command:parameterValue required="true" variableLength="false">RC4</command:parameterValue><command:parameterValue required="true" variableLength="false">AES128</command:parameterValue><command:parameterValue required="true" variableLength="false">AES256</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LogonWorkstations</maml:name><maml:description><maml:para>Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Accounts Manager (SAM) account name (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer. </maml:para><maml:para>The LDAP display name (ldapDisplayName) for this property is "userWorkStations". </maml:para><maml:para>The following example shows how to set this parameter by using SAMAccountName (NetBIOS name) and DNSHostName values. </maml:para><maml:para>-LogonWorkstations "saraDavisDesktop,saraDavisLapTop,projectA.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Manager</maml:name><maml:description><maml:para>Specifies the user's manager. This parameter sets the Manager property of a user. This parameter is set by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The LDAP Display Name (ldapDisplayName) of this property is "manager". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Manager saradavis </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MobilePhone</maml:name><maml:description><maml:para>Specifies the user's mobile phone number. This parameter sets the MobilePhone property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mobile". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MobilePhone "+1 (999 ) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Office</maml:name><maml:description><maml:para>Specifies the location of the user's office or place of business. This parameter sets the Office property of a user object. The LDAP display name (ldapDisplayName) of this property is "office". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Office "D1042" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OfficePhone</maml:name><maml:description><maml:para>Specifies the user's office telephone number. This parameter sets the OfficePhone property of a user object. The LDAP display name (ldapDisplayName) of this property is "telephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OfficePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Organization</maml:name><maml:description><maml:para>Specifies the user's organization. This parameter sets the Organization property of a user object. The LDAP display name (ldapDisplayName) of this property is "o". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Organization "Accounting" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherName</maml:name><maml:description><maml:para>Specifies a name in addition to a user's given name and surname, such as the user's middle name. This parameter sets the OtherName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "middleName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OtherName "Peter" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>POBox</maml:name><maml:description><maml:para>Specifies the user's post office box number. This parameter sets the POBox property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "postOfficeBox". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-POBox "25662" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProfilePath</maml:name><maml:description><maml:para>Specifies a path to the user's profile. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ProfilePath property of the user object. The LDAP display name (ldapDisplayName) for this property is "profilePath". </maml:para><maml:para>The following examples show how to set this parameter to a local path and to a UNC path. -ProfilePath "E:\users\profiles\saraDavis" </maml:para><maml:para>-ProfilePath "\\users\profiles\saraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ScriptPath</maml:name><maml:description><maml:para>Specifies a path to the user's log on script. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ScriptPath property of the user. The LDAP display name (ldapDisplayName) for this property is "scriptPath". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ScriptPath "\\logonScripts\saradavisLogin" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SmartcardLogonRequired</maml:name><maml:description><maml:para>Specifies whether a smart card is required to logon. This parameter sets the SmartCardLoginRequired property for a user. This parameter also sets the ADS_UF_SMARTCARD_REQUIRED flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that a smart card is required to logon to the account. </maml:para><maml:para>-SmartCardLogonRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the user's street address. This parameter sets the StreetAddress property of a user object. The LDAP display name (ldapDisplayName) of this property is "streetAddress". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Surname</maml:name><maml:description><maml:para>Specifies the user's last name or surname. This parameter sets the Surname property of a user object. The LDAP display name (ldapDisplayName) of this property is "sn". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Surname "Patel" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies the user's title. This parameter sets the Title property of a user object. The LDAP display name (ldapDisplayName) of this property is "title". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Title "Manager" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Set-ADUser</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an ADUser object that identifies the Active Directory user object that should be modified and the set of changes that should be made to that object. When this parameter is used, any modifications made to the ADUser object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The ADUser object specified as the value of the -Instance parameter must have been retrieved by using the Get-ADUser cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set individual properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADUser cmdlet to retrieve an instance of the ADUser object. The object is modified by using the Windows PowerShell command line. Then the Set-ADUser cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$userInstance = Get-ADUser -Identity saraDavis </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$userInstance.EmailAddress = "saradavis@contoso.com" </maml:para><maml:para>Step3: Save your changes to saraDavis. </maml:para><maml:para>Set-ADUser -Instance $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountExpirationDate</maml:name><maml:description><maml:para>Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires. </maml:para><maml:para>Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object. </maml:para><maml:para>"4/17/2006" </maml:para><maml:para>"Monday, April 17, 2006" </maml:para><maml:para>"2:22:45 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22:45 PM" </maml:para><maml:para>These examples specify the same date and the time without the seconds. </maml:para><maml:para>"4/17/2006 2:22 PM" </maml:para><maml:para>"Monday, April 17, 2006 2:22 PM" </maml:para><maml:para>"2:22 PM" </maml:para><maml:para>The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT). </maml:para><maml:para>"Mon, 17 Apr 2006 21:22:48 GMT" </maml:para><maml:para>The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC. </maml:para><maml:para>"2006-04-17T14:22:48.0000000" </maml:para><maml:para>The following example shows how to set this parameter to the date May 1, 2012 at 5 PM. </maml:para><maml:para>-AccountExpirationDate "05/01/2012 5:00:00 PM" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue><dev:type><maml:name>DateTime</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountNotDelegated</maml:name><maml:description><maml:para>Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the security context of the account is not delegated to a service. </maml:para><maml:para>-AccountNotDelegated $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Add</maml:name><maml:description><maml:para>Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.. The format for this parameter is </maml:para><maml:para>-Add @{Attribute1LDAPDisplayName=value1, value2, ...; Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...} </maml:para><maml:para>For example, if you want to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Phone-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='555-222-2222'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowReversiblePasswordEncryption</maml:name><maml:description><maml:para>Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to true. </maml:para><maml:para>-AllowReversiblePasswordEncryption $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicy</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicy</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicy</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthenticationPolicySilo</maml:name><maml:description><maml:para></maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthenticationPolicySilo</command:parameterValue><dev:type><maml:name>ADAuthenticationPolicySilo</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CannotChangePassword</maml:name><maml:description><maml:para>Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that the account password can be changed. </maml:para><maml:para>-CannotChangePassword $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Certificates</maml:name><maml:description><maml:para>Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate". </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-Certificates @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-Certificates @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-Certificates @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-Certificates $null </maml:para><maml:para>You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values </maml:para><maml:para>-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate. </maml:para><maml:para>$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password> </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add=$cert} </maml:para><maml:para>The following example shows how to add a certificate that is specified as a byte array. </maml:para><maml:para>Set-ADUser saradavis -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ChangePasswordAtLogon</maml:name><maml:description><maml:para>Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password must be changed at logon. </maml:para><maml:para>-ChangePasswordAtLogon $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>City</maml:name><maml:description><maml:para>Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-City "Las Vegas" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Clear</maml:name><maml:description><maml:para>Specifies an array of object properties that will be cleared in the directory. Use this parameter to clear one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName </maml:para><maml:para>For example, if you want to clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Clear parameter as follows. </maml:para><maml:para>-Clear otherTelephone </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Company</maml:name><maml:description><maml:para>Specifies the user's company. This parameter sets the Company property of a user object. The LDAP display name (ldapDisplayName) of this property is "company". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Company "Contoso" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>CompoundIdentitySupported</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-SupportDeviceAuthz $true </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Country</maml:name><maml:description><maml:para>Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000. </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Country "IN" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Department</maml:name><maml:description><maml:para>Specifies the user's department. This parameter sets the Department property of a user. The LDAP Display Name (ldapDisplayName) of this property is "department". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Department "Development" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Description</maml:name><maml:description><maml:para>Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description". </maml:para><maml:para>The following example shows how to set this parameter to a sample description. </maml:para><maml:para>-Description "Description of the object" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-DisplayName "Sara Davis Laptop" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Division</maml:name><maml:description><maml:para>Specifies the user's division. This parameter sets the Division property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "division". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Division "Software" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EmailAddress</maml:name><maml:description><maml:para>Specifies the user's e-mail address. This parameter sets the EmailAddress property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mail". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmailAddress "saradavis@contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EmployeeID</maml:name><maml:description><maml:para>Specifies the user's employee ID. This parameter sets the EmployeeID property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeID". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-EmployeeID "A123456" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>EmployeeNumber</maml:name><maml:description><maml:para>Specifies the user's employee number. This parameter sets the EmployeeNumber property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeNumber". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-EmployeeNumber "12345678" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Enabled</maml:name><maml:description><maml:para>Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter to enable the account. </maml:para><maml:para>-Enabled $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Fax</maml:name><maml:description><maml:para>Specifies the user's fax phone number. This parameter sets the Fax property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "facsimileTelephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Fax "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>GivenName</maml:name><maml:description><maml:para>Specifies the user's given name. This parameter sets the GivenName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "givenName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-givenName "Sanjay" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomeDirectory</maml:name><maml:description><maml:para>Specifies a user's home directory. This parameter sets the HomeDirectory property of a user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDirectory". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDirectory "\\users\saraDavisHomeDir" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomeDrive</maml:name><maml:description><maml:para>Specifies a drive that is associated with the UNC path defined by the HomeDirectory property. The drive letter is specified as "<DriveLetter>:" where <DriveLetter> indicates the letter of the drive to associate. The <DriveLetter> must be a single, uppercase letter and the colon is required. This parameter sets the HomeDrive property of the user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDrive". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomeDrive "D:" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePage</maml:name><maml:description><maml:para>Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage". </maml:para><maml:para>The following example shows how to set this parameter to a URL. </maml:para><maml:para>-HomePage "http://employees.contoso.com/sdavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>HomePhone</maml:name><maml:description><maml:para>Specifies the user's home telephone number. This parameter sets the HomePhone property of a user. The LDAP Display Name (ldapDisplayName) of this property is "homePhone". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-HomePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Initials</maml:name><maml:description><maml:para>Specifies the initials that represent part of a user's name. You can use this value for the user's middle initial. This parameter sets the Initials property of a user. The LDAP Display Name (ldapDisplayName) of this property is "initials". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-Initials "L" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Instance</maml:name><maml:description><maml:para>Specifies an ADUser object that identifies the Active Directory user object that should be modified and the set of changes that should be made to that object. When this parameter is used, any modifications made to the ADUser object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. </maml:para><maml:para>The ADUser object specified as the value of the -Instance parameter must have been retrieved by using the Get-ADUser cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set individual properties on the object. </maml:para><maml:para>The following is an example of how to use the Get-ADUser cmdlet to retrieve an instance of the ADUser object. The object is modified by using the Windows PowerShell command line. Then the Set-ADUser cmdlet saves the changes to the Active Directory object. </maml:para><maml:para>Step 1: Retrieve a local instance of the object. </maml:para><maml:para>$userInstance = Get-ADUser -Identity saraDavis </maml:para><maml:para>Step 2: Modify one or more properties of the object instance. </maml:para><maml:para>$userInstance.EmailAddress = "saradavis@contoso.com" </maml:para><maml:para>Step3: Save your changes to saraDavis. </maml:para><maml:para>Set-ADUser -Instance $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KerberosEncryptionType</maml:name><maml:description><maml:para>Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are: </maml:para><maml:para>None </maml:para><maml:para>DES </maml:para><maml:para>RC4 </maml:para><maml:para>AES128 </maml:para><maml:para>AES256 </maml:para><maml:para>None, will remove all encryption types from the account resulting the KDC being unable to issue service tickets for services using the account. </maml:para><maml:para>DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2. </maml:para><maml:para>The following example shows how to specify that an account supports service tickets with device authorization data. </maml:para><maml:para>-KerberosEncryptionTypes RC4|AES128|AES256 </maml:para><maml:para>Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADKerberosEncryptionType</command:parameterValue><dev:type><maml:name>ADKerberosEncryptionType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>LogonWorkstations</maml:name><maml:description><maml:para>Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Accounts Manager (SAM) account name (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer. </maml:para><maml:para>The LDAP display name (ldapDisplayName) for this property is "userWorkStations". </maml:para><maml:para>The following example shows how to set this parameter by using SAMAccountName (NetBIOS name) and DNSHostName values. </maml:para><maml:para>-LogonWorkstations "saraDavisDesktop,saraDavisLapTop,projectA.corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Manager</maml:name><maml:description><maml:para>Specifies the user's manager. This parameter sets the Manager property of a user. This parameter is set by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The LDAP Display Name (ldapDisplayName) of this property is "manager". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Manager saradavis </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADUser</command:parameterValue><dev:type><maml:name>ADUser</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MobilePhone</maml:name><maml:description><maml:para>Specifies the user's mobile phone number. This parameter sets the MobilePhone property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mobile". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-MobilePhone "+1 (999 ) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Office</maml:name><maml:description><maml:para>Specifies the location of the user's office or place of business. This parameter sets the Office property of a user object. The LDAP display name (ldapDisplayName) of this property is "office". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Office "D1042" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OfficePhone</maml:name><maml:description><maml:para>Specifies the user's office telephone number. This parameter sets the OfficePhone property of a user object. The LDAP display name (ldapDisplayName) of this property is "telephoneNumber". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OfficePhone "+1 (999) 555 1212" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Organization</maml:name><maml:description><maml:para>Specifies the user's organization. This parameter sets the Organization property of a user object. The LDAP display name (ldapDisplayName) of this property is "o". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Organization "Accounting" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>OtherName</maml:name><maml:description><maml:para>Specifies a name in addition to a user's given name and surname, such as the user's middle name. This parameter sets the OtherName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "middleName". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-OtherName "Peter" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>POBox</maml:name><maml:description><maml:para>Specifies the user's post office box number. This parameter sets the POBox property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "postOfficeBox". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-POBox "25662" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNeverExpires</maml:name><maml:description><maml:para>Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>Note: This parameter cannot be set to $true or 1 for an account that also has the ChangePasswordAtLogon property set to true. </maml:para><maml:para>The following example shows how to set this parameter so that the password can expire. </maml:para><maml:para>-PasswordNeverExpires $false </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordNotRequired</maml:name><maml:description><maml:para>Specifies whether the account requires a password. This parameter sets the PasswordNotRequired property of an account, such as a user or computer account. This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that as password is not required for the account. </maml:para><maml:para>-PasswordNotRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PostalCode</maml:name><maml:description><maml:para>Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-PostalCode "28712" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PrincipalsAllowedToDelegateToAccount</maml:name><maml:description><maml:para>This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">ADPrincipal[]</command:parameterValue><dev:type><maml:name>ADPrincipal[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ProfilePath</maml:name><maml:description><maml:para>Specifies a path to the user's profile. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ProfilePath property of the user object. The LDAP display name (ldapDisplayName) for this property is "profilePath". </maml:para><maml:para>The following examples show how to set this parameter to a local path and to a UNC path. -ProfilePath "E:\users\profiles\saraDavis" </maml:para><maml:para>-ProfilePath "\\users\profiles\saraDavis" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Remove</maml:name><maml:description><maml:para>Specifies that the cmdlet remove values of an object property. Use this parameter to remove one or more values of a property that cannot be modified using a cmdlet parameter. To remove an object property, you must use the LDAP display name. You can remove more than one property by specifying a semicolon-separated list. The format for this parameter is </maml:para><maml:para>-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to add the values blue and green and remove the value pink from a property with a LDAP display name of FavColors, set the Add and Remove parameters as follows. </maml:para><maml:para>-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the parameters will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Replace</maml:name><maml:description><maml:para>Specifies values for an object property that will replace the current values. Use this parameter to replace one or more values of a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can modify more than one property by specifying a comma-separated list. The format for this parameter is </maml:para><maml:para>-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]} </maml:para><maml:para>For example, if you want to replace the value "555-222-2222" with the values "555-222-1111" for Phone-Office-Other attribute (LDAP display name 'otherTelephone') set the Replace parameter as follows. </maml:para><maml:para>-Replace @{otherTelephone='555-222-2222', '555-222-1111'} </maml:para><maml:para>When you use the Add, Remove, Replace and Clear parameters together, the operations will be performed in the following order: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>..Clear </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SamAccountName</maml:name><maml:description><maml:para>Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName". </maml:para><maml:para>The following example shows how to specify this parameter. </maml:para><maml:para>-SAMAccountName "saradavis" </maml:para><maml:para>Note: If the string value provided is not terminated with a '$' character, the system adds one if needed. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ScriptPath</maml:name><maml:description><maml:para>Specifies a path to the user's log on script. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ScriptPath property of the user. The LDAP display name (ldapDisplayName) for this property is "scriptPath". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-ScriptPath "\\logonScripts\saradavisLogin" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ServicePrincipalNames</maml:name><maml:description><maml:para>Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values. </maml:para><maml:para>Syntax: </maml:para><maml:para>To add values: </maml:para><maml:para>-ServicePrincipalNames @{Add=value1,value2,...} </maml:para><maml:para>To remove values: </maml:para><maml:para>-ServicePrincipalNames @{Remove=value3,value4,...} </maml:para><maml:para>To replace values: </maml:para><maml:para>-ServicePrincipalNames @{Replace=value1,value2,...} </maml:para><maml:para>To clear all values: </maml:para><maml:para>-ServicePrincipalNames $null </maml:para><maml:para>You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names. </maml:para><maml:para>@{Add=value1,value2,...};@{Remove=value3,value4,...} </maml:para><maml:para>The operators will be applied in the following sequence: </maml:para><maml:para>..Remove </maml:para><maml:para>..Add </maml:para><maml:para>..Replace </maml:para><maml:para>The following example shows how to add and remove service principal names. </maml:para><maml:para>-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"} </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Hashtable</command:parameterValue><dev:type><maml:name>Hashtable</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SmartcardLogonRequired</maml:name><maml:description><maml:para>Specifies whether a smart card is required to logon. This parameter sets the SmartCardLoginRequired property for a user. This parameter also sets the ADS_UF_SMARTCARD_REQUIRED flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to set this parameter so that a smart card is required to logon to the account. </maml:para><maml:para>-SmartCardLogonRequired $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>State</maml:name><maml:description><maml:para>Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st". </maml:para><maml:para>The following example shows how set this parameter. </maml:para><maml:para>-State "Nevada" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>StreetAddress</maml:name><maml:description><maml:para>Specifies the user's street address. This parameter sets the StreetAddress property of a user object. The LDAP display name (ldapDisplayName) of this property is "streetAddress". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-StreetAddress "1200 Main Street" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Surname</maml:name><maml:description><maml:para>Specifies the user's last name or surname. This parameter sets the Surname property of a user object. The LDAP display name (ldapDisplayName) of this property is "sn". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Surname "Patel" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies the user's title. This parameter sets the Title property of a user object. The LDAP display name (ldapDisplayName) of this property is "title". </maml:para><maml:para>The following example shows how to set this parameter. </maml:para><maml:para>-Title "Manager" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>TrustedForDelegation</maml:name><maml:description><maml:para>Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are: </maml:para><maml:para>$false or 0 </maml:para><maml:para>$true or 1 </maml:para><maml:para>The following example shows how to specify that an account is trusted for Kerberos delegation. </maml:para><maml:para>-TrustedForDelegation $true </maml:para></maml:description><command:parameterValue required="true" variableLength="false">Boolean</command:parameterValue><dev:type><maml:name>Boolean</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>UserPrincipalName</maml:name><maml:description><maml:para>Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A user object is received by the Identity parameter. </maml:para><maml:para>A user object that was retrieved by using the Get-ADUser cmdlet and then modified is received by the Instance parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADUser</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Returns the modified user object when the PassThru parameter is specified. By default, this cmdlet does not generate any output. </maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADUser AntonioAl -HomePage 'http://fabrikam.com/employees/AntonioAl' -LogonWorkstations 'AntonioAl-DSKTOP,AntonioAl-LPTOP' </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the user with samAccountName AntonioAL's property homepage to http://fabrikam.com/employees/AntonioAl and the LogonWorkstations property to AntonioAl-DSKTOP,AntonioAl-LPTOP. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser -Filter 'Name -like "*"' -SearchBase 'OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM' -Properties DisplayName | % {Set-ADUser $_ -DisplayName ($_.Surname + ' ' + $_.GivenName)} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Get all the users in the directory that are located underneath the OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM organizationalUnit. Set the DisplayName property on these user objects to the concatentation of the Surname property and the GivenName property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADUser GlenJohn -Replace @{title="director";mail="glenjohn@fabrikam.com"} </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the user with samAccountNAme GlenJohn's property title to director and property mail to glenjohn@fabrikam.com. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 4 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Set-ADUser GlenJohn -Remove @{otherMailbox="glen.john"} -Add @{url="fabrikam.com"} -Replace @{title="manager"} -Clear description </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Modify the user with samAccountName GlenJohn's object by removing glen.john from the otherMailbox property, adding fabrikam.com to the url property, replacing the title property with manager and clearing the description property. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 5 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>$user = Get-ADUser GlenJohn -Properties mail,department $user.mail = "glen@fabrikam.com" $user.department = "Accounting" Set-ADUser -instance $user </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the mail and department properties on the user object with samAccountName GlenJohn by using the instance parameter. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 6 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\># create a byte array for the M-F 8:00 am to 5 pm logon hours PS C:\>$hours = New-Object byte[] 21 PS C:\>$hours[5] = 255; $hours[8] = 255; $hours[11] = 255; $hours[14] = 255; $hours[17] = 255; PS C:\>$hours[6] = 1; $hours[9] = 1; $hours[12] = 1; $hours[15] = 1; $hours[18] = 1; PS C:\># create a hashtable to update the logon hours and a description PS C:\>$replaceHashTable = New-Object HashTable PS C:\>$replaceHashTable.Add("logonHours", $hours) PS C:\>$replaceHashTable.Add("description", "Sarah Davis can only logon from Monday through Friday from 8:00 AM to 5:00 PM") PS C:\># set the value of the logonHours and description attributes PS C:\>Set-ADUser "SarahDavis" -Replace $replaceHashTable </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the user logon hours to Monday through Friday from 8:00 AM to 5:00 PM and add a description. It updates the "logonHours" attribute with the specified byte array and the description attribute with the specified string. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 7 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$manager = Get-ADUser GlenJohn -Server Corp-DC01 PS C:\>Set-ADUser AntonioAl -Manager $manager -Server Branch-DC02 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Set the Manager property for user with samAccountName of "AntonioAL" where the manager (GlenJohn) is a user in another domain. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291132</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADUser</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountControl</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Show-ADAuthenticationPolicyExpression</command:name><maml:description><maml:para>Displays the Edit Access Control Conditions window update or create security descriptor definition language (SDDL) security descriptors.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Show</command:verb><command:noun>ADAuthenticationPolicyExpression</command:noun><dev:version /></command:details><maml:description><maml:para>The Show-ADAuthenticationPolicyExpression cmdlet creates or modifies an SDDL security descriptor using the Edit Access Control Conditions window. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Show-ADAuthenticationPolicyExpression</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>SDDL</maml:name><maml:description><maml:para>Specifies the SDDL of the security descriptor. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies a title for the SDDL security descriptor.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Indicates that the AllowedToAuthenticateFrom listings for an object are displayed in the Edit Access Control Conditions window.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>Show-ADAuthenticationPolicyExpression</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>SDDL</maml:name><maml:description><maml:para>Specifies the SDDL of the security descriptor. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies a title for the SDDL security descriptor.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedToAuthenticateTo</maml:name><maml:description><maml:para>Indicates that the AllowedToAuthenticateTo listings for an object are displayed in the Edit Access Control Conditions window.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedToAuthenticateFrom</maml:name><maml:description><maml:para>Indicates that the AllowedToAuthenticateFrom listings for an object are displayed in the Edit Access Control Conditions window.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AllowedToAuthenticateTo</maml:name><maml:description><maml:para>Indicates that the AllowedToAuthenticateTo listings for an object are displayed in the Edit Access Control Conditions window.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. The acceptable values for this parameter are: --Negotiate or 0 --Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform the task. The default is the current user. Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the <maml:navigationLink><maml:linkText>Get-Credential</maml:linkText><maml:uri></maml:uri></maml:navigationLink> cmdlet. </maml:para><maml:para>By default, the cmdlet uses the credentials of the currently logged on user unless the cmdlet is run from an Active Directory Domain ServicesWindows PowerShell provider drive. If you run the cmdlet in a provider drive, the account associated with the drive is the default.</maml:para><maml:para>If you specify credentials that do not have permission to perform the task, the cmdlet returns an error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0" aliases=""><maml:name>SDDL</maml:name><maml:description><maml:para>Specifies the SDDL of the security descriptor. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to which to connect, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Specify the Active Directory Domain Services instance in one of the following ways: --Domain name values: ----Fully qualified domain name ----NetBIOS name --Directory server values: ----Fully qualified directory server name ----NetBIOS name ----Fully qualified directory server name and port</maml:para><maml:para>The default value for this parameter is determined by one of the following methods in the order that they are listed: --By using the Server value from objects passed through the pipeline --By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive --By using the domain of the computer running Windows PowerShell</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Title</maml:name><maml:description><maml:para>Specifies a title for the SDDL security descriptor.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or System.String</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet accepts a SDDL security descriptor.</maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>System.Object</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>This cmdlet outputs a SDDL security descriptor.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>Example 1: Retrieve the AllowedToAuthenticateFrom settings and store in a file</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Show-ADAuthenticationPolicyExpression –AllowedToAuthenticateFrom > someFile.txt PS C:\> New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Get-Acl .\AuthSettings.txt).sddl </dev:code><dev:remarks><maml:para>This command retrieves the AllowedToAuthenticateFrom access control list (ACL) by opening the Edit Access Control Conditions window and stores the ACL in a file named AuthSettings.txt. The file is then used to apply a new authentication policy to the retrieved ACL.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>Example 2: Set the UserAllowedToAuthenticateFrom property</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Show-ADAuthenticationPolicyExpression -AllowedToAuthenticateFrom) </dev:code><dev:remarks><maml:para>This example uses the New-ADAuthenticationPolicy cmdlet to create an authentication policy, and then sets the UserAllowedToAuthenticateFrom property by specifying the Show-ADAuthenticationPolicyExpression cmdlet as the value for the parameter.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=298321</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Sync-ADObject</command:name><maml:description><maml:para>Replicates a single object between any two domain controllers that have partitions in common. </maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Sync</command:verb><command:noun>ADObject</command:noun><dev:version /></command:details><maml:description><maml:para>The Sync-ADObject cmdlet replicates a single object between any two domain controllers that have partitions in common. The two domain controllers do not need to be direct replication partners. It can also be used to populate passwords in a read-only domain controller (RODC) cache. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Sync-ADObject</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Object</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Source</maml:name><maml:description><maml:para>Specifies the identity of the Active Directory server that acts as the source for synchronizing this data. This parameter works similarly to the Server parameter as used on the Set-Object cmdlet with some restrictions. It does not allow domain or forest names to be used. </maml:para><maml:para>Valid format foes specifying the source server are the following: </maml:para><maml:para>Host name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Host name and port </maml:para><maml:para>Examples: corp-DC12:3268 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>IP address </maml:para><maml:para>Examples: 10.0.0.1 </maml:para><maml:para>IP address and port </maml:para><maml:para>Example: 10.0.0.1:3268 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases="Server,HostName,IPv4Address"><maml:name>Destination</maml:name><maml:description><maml:para>Specifies the identity of the Active Directory server that acts as the destination for synchronizing this data. This parameter works similarly to the Server parameter as used on the Set-Object cmdlet with some restrictions. It does not allow domain or forest names to be used. </maml:para><maml:para>Valid format foes specifying the destination server are the following: </maml:para><maml:para>Host name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Host name and port </maml:para><maml:para>Examples: corp-DC12:3268 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>IP address </maml:para><maml:para>Examples: 10.0.0.1 </maml:para><maml:para>IP address and port </maml:para><maml:para>Example: 10.0.0.1:3268 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the object once it has been synchronized on the destination server. By default if the PassThru parameter is not specified, this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordOnly</maml:name><maml:description><maml:para>Populates a read-only domain controller (RODC) password cache with the password of the account specified in the Object parameter. If specified, no other data is replicated other than the password. </maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies a user account that has permission to perform this action. The default is the current user. </maml:para><maml:para>Type a user name, such as "User01" or "Domain01\User01", or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. </maml:para><maml:para>This parameter is not supported by any providers installed with Windows PowerShell. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases="Server,HostName,IPv4Address"><maml:name>Destination</maml:name><maml:description><maml:para>Specifies the identity of the Active Directory server that acts as the destination for synchronizing this data. This parameter works similarly to the Server parameter as used on the Set-Object cmdlet with some restrictions. It does not allow domain or forest names to be used. </maml:para><maml:para>Valid format foes specifying the destination server are the following: </maml:para><maml:para>Host name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Host name and port </maml:para><maml:para>Examples: corp-DC12:3268 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>IP address </maml:para><maml:para>Examples: 10.0.0.1 </maml:para><maml:para>IP address and port </maml:para><maml:para>Example: 10.0.0.1:3268 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Object</maml:name><maml:description><maml:para>Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para><maml:para>This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance". </maml:para><maml:para>-Identity $ADObjectInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADObject</command:parameterValue><dev:type><maml:name>ADObject</maml:name><maml:uri /></dev:type><dev:defaultValue>None</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the object once it has been synchronized on the destination server. By default if the PassThru parameter is not specified, this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>False</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PasswordOnly</maml:name><maml:description><maml:para>Populates a read-only domain controller (RODC) password cache with the password of the account specified in the Object parameter. If specified, no other data is replicated other than the password. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>False</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Source</maml:name><maml:description><maml:para>Specifies the identity of the Active Directory server that acts as the source for synchronizing this data. This parameter works similarly to the Server parameter as used on the Set-Object cmdlet with some restrictions. It does not allow domain or forest names to be used. </maml:para><maml:para>Valid format foes specifying the source server are the following: </maml:para><maml:para>Host name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Host name and port </maml:para><maml:para>Examples: corp-DC12:3268 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>IP address </maml:para><maml:para>Examples: 10.0.0.1 </maml:para><maml:para>IP address and port </maml:para><maml:para>Example: 10.0.0.1:3268 </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>Microsoft.ActiveDirectory.Management.ADObject</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADGroup </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADOrganizationalUnit </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADDomain </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name></maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Sync-ADObject "CN=AccountManagers,OU=AccountDeptOU,DC=corp,DC=contoso,DC=com" corp-DC01 corp-DC02 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Replicate an object with DistinguishedName 'CN=AccountManagers,OU=AccountDeptOU,DC=corp,DC=contoso,DC=com' from corp-DC01 to corp-DC02. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Get-ADUser saradavis | Sync-ADObject -Destination "corp-RODC01" -PasswordOnly </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Pre-cache the password of Sara Davis to the read-only Domain Controller corp-RODC01 using the user's SamAccountName </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291133</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Move-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Rename-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Restore-ADObject</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADObject</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Test-ADServiceAccount</command:name><maml:description><maml:para>Tests a managed service account from a computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Test</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Test-ADServiceAccount cmdlet tests a managed service account (MSA) from a local computer. </maml:para><maml:para>The Identity parameter specifies the Active Directory MSA account to test. You can identify a MSA by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the parameter to a MSA object variable, such as $<localMSA> or pass a MSA object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount to get a MSA object and then pass that object through the pipeline to the Test-ADServiceAccount cmdlet. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Test-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory managed service account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=MyServiceMSA,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: MyServiceMSA </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=MyServiceMSA,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory managed service account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=MyServiceMSA,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM account name (sAMAccountName) </maml:para><maml:para>Example: MyServiceMSA </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=MyServiceMSA,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to a user object instance named "userInstance". </maml:para><maml:para>-Identity $userInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Test-ADServiceAccount -Identity MSA1 True </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Tests that the specified service account ("MSA1") is ready for use (it is able be authenticated and access the domain using its currently configured credentials) from the local computer. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Test-ADServiceAccount -Identity MSA1 False WARNING: Test failed for Managed Service Account MSA. If standalone Managed Service Account, the account is linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required for the gMSA. See the MSA operational log for more information. </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Test results returned if MsaInfoCannotInstall </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 3 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Test-ADServiceAccount -Identity MSA1 False WARNING: The Managed Service Account MSA is not linked with any computer object in the directory. </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Test returns MsaInfoCanInstall </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291134</maml:uri></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Uninstall-ADServiceAccount</command:name><maml:description><maml:para>Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Uninstall</command:verb><command:noun>ADServiceAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Uninstall-ADServiceAccount cmdlet removes an Active Directory standalone managed service account (MSA) on the computer on which the cmdlet is run. For group MSAs, the cmdlet removes the group MSA from the cache, however, if a service is still using the group MSA and the host has permission to retrieve the password a new cache entry will be created. The specified MSA must be installed on the computer. </maml:para><maml:para>The Identity parameter specifies the Active Directory MSA to uninstall. You can identify a MSA by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the parameter to a MSA object variable, such as $<localServiceAccountObject> or pass a MSA object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount to get a MSA object and then pass that object through the pipeline to the Uninstall-ADServiceAccount cmdlet. </maml:para><maml:para>For standalone MSA, the ForceRemoveLocal switch parameter will allow you to remove the account from the local LSA without failing the command if an access to a writable DC is not possible. This is required if you are uninstalling the standalone MSA from a server that is placed in a segmented network (i.e. perimeter network) with access only to an RODC. If you pass this parameter and the server has access to a writable DC the standalone MSA will be un-linked from the computer account in the directory as well. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Uninstall-ADServiceAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ForceRemoveLocal</maml:name><maml:description><maml:para>The ForceRemoveLocal switch parameter will allow you to remove the account from the local LSA without failing the command if an access to a writable DC is not possible. This is required if you are uninstalling the MSA from a server that is placed in a segmented network (i.e. perimeter network) with access only to an RODC. If you pass this parameter and the server has access to a writable DC the account will be un-linked from the computer account in the directory as well. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ForceRemoveLocal</maml:name><maml:description><maml:para>The ForceRemoveLocal switch parameter will allow you to remove the account from the local LSA without failing the command if an access to a writable DC is not possible. This is required if you are uninstalling the MSA from a server that is placed in a segmented network (i.e. perimeter network) with access only to an RODC. If you pass this parameter and the server has access to a writable DC the account will be un-linked from the computer account in the directory as well. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: WebAccount$ </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an object instance. </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "AccountInstance". </maml:para><maml:para>-Identity $AccountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADServiceAccount</command:parameterValue><dev:type><maml:name>ADServiceAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADServiceAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>A managed service account object is received by the Identity parameter. A switch parameter with name ForceRemoveLocal is provided to un-install standalone MSAs on a RODC only site. </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with AD LDS. </maml:para><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Uninstall-ADServiceAccount -Identity SQL-SRV1 </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Uninstall the managed service account SQL-SRV1 from the local machine. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Uninstall-ADServiceAccount sql-hr-01 -ForceRemoveLocal </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Uninstall a standalone Managed Service Account from a server located in a RODC-only site with no access to writable DCs such as a perimeter network. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291135</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Install-ADServiceAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-ADService account</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Remove-ADService account</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADService account</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Unlock-ADAccount</command:name><maml:description><maml:para>Unlocks an Active Directory account.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Unlock</command:verb><command:noun>ADAccount</command:noun><dev:version /></command:details><maml:description><maml:para>The Unlock-ADAccount cmdlet restores Active Directory Domain Services (AD DS) access for an account that is locked. AD DS access is suspended or locked for an account when the number of incorrect password entries exceeds the maximum number allowed by the account password policy. </maml:para><maml:para>The Identity parameter specifies the Active Directory account to unlock. You can identify an account by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an account object variable such as $<localADAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Search-ADAccount cmdlet to get an account object and then pass the object through the pipeline to the Unlock-ADAccount cmdlet to unlock the account. Similarly, you can use Get-ADUser and Get-ADComputer to get objects to pass through the pipeline. </maml:para><maml:para>For AD LDS environments, the Partition parameter must be specified except when: - Using a DN to identify objects: the partition will be auto-generated from the DN. - Running cmdlets from an Active Directory provider drive: the current path will be used to set the partition. - A default naming context or partition is specified. </maml:para><maml:para>To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Unlock-ADAccount</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValueGroup><command:parameterValue required="true" variableLength="false">Negotiate</command:parameterValue><command:parameterValue required="true" variableLength="false">Basic</command:parameterValue></command:parameterValueGroup></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthType</maml:name><maml:description><maml:para>Specifies the authentication method to use. Possible values for this parameter include: </maml:para><maml:para>Negotiate or 0 </maml:para><maml:para>Basic or 1 </maml:para><maml:para>The default authentication method is Negotiate. </maml:para><maml:para>A Secure Sockets Layer (SSL) connection is required for the Basic authentication method. </maml:para><maml:para>The following example shows how to set this parameter to Basic. </maml:para><maml:para>-AuthType Basic </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAuthType</command:parameterValue><dev:type><maml:name>ADAuthType</maml:name><maml:uri /></dev:type><dev:defaultValue>Microsoft.ActiveDirectory.Management.AuthType.Negotiate</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Credential</maml:name><maml:description><maml:para>Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default. </maml:para><maml:para>To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password. </maml:para><maml:para>You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials. </maml:para><maml:para>$AdminCredentials = Get-Credential "Domain01\User01" </maml:para><maml:para>The following shows how to set the Credential parameter to these credentials. </maml:para><maml:para>-Credential $AdminCredentials </maml:para><maml:para>If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue><dev:type><maml:name>PSCredential</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="1" aliases=""><maml:name>Identity</maml:name><maml:description><maml:para>Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. </maml:para><maml:para>Distinguished Name </maml:para><maml:para>Example: CN=SaraDavis ,CN=Users,DC=corp,DC=contoso,DC=com </maml:para><maml:para>GUID (objectGUID) </maml:para><maml:para>Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 </maml:para><maml:para>Security Identifier (objectSid) </maml:para><maml:para>Example: S-1-5-21-3165297888-301567370-576410423-1103 </maml:para><maml:para>SAM Account Name (sAMAccountName) </maml:para><maml:para>Example: saradavis </maml:para><maml:para>The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error. </maml:para><maml:para>This parameter can also get this object through the pipeline or you can set this parameter to an account object instance. </maml:para><maml:para>Derived types such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para><maml:para>This example shows how to set the parameter to a distinguished name. </maml:para><maml:para>-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com" </maml:para><maml:para>This example shows how to set this parameter to an account object instance named "accountInstance". </maml:para><maml:para>-Identity $accountInstance </maml:para></maml:description><command:parameterValue required="true" variableLength="false">ADAccount</command:parameterValue><dev:type><maml:name>ADAccount</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Partition</maml:name><maml:description><maml:para>Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter. </maml:para><maml:para>The following two examples show how to specify a value for this parameter. </maml:para><maml:para>-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM" </maml:para><maml:para>In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated. </maml:para><maml:para>In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain. </maml:para><maml:para>In AD LDS environments, a default value for Partition will be set in the following cases: </maml:para><maml:para>- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name. </maml:para><maml:para>- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive. </maml:para><maml:para>- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. </maml:para><maml:para>- If none of the previous cases apply, the Partition parameter will not take any default value. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>PassThru</maml:name><maml:description><maml:para>Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Server</maml:name><maml:description><maml:para>Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance. </maml:para><maml:para>Domain name values: </maml:para><maml:para>Fully qualified domain name </maml:para><maml:para>Examples: corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: CORP </maml:para><maml:para>Directory server values: </maml:para><maml:para>Fully qualified directory server name </maml:para><maml:para>Example: corp-DC12.corp.contoso.com </maml:para><maml:para>NetBIOS name </maml:para><maml:para>Example: corp-DC12 </maml:para><maml:para>Fully qualified directory server name and port </maml:para><maml:para>Example: corp-DC12.corp.contoso.com:3268 </maml:para><maml:para>The default value for the Server parameter is determined by one of the following methods in the order that they are listed: </maml:para><maml:para>-By using Server value from objects passed through the pipeline. </maml:para><maml:para>-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. </maml:para><maml:para>-By using the domain of the computer running Powershell. </maml:para><maml:para>The following example shows how to specify a full qualified domain name as the parameter value. </maml:para><maml:para>-Server "corp.contoso.com" </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>Confirm</maml:name><maml:description><maml:para>Prompts you for confirmation before running the cmdlet.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"><maml:name>WhatIf</maml:name><maml:description><maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue>false</dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None or Microsoft.ActiveDirectory.Management.ADAccount</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>An account object is received by the Identity parameter. </maml:para><maml:para>Derived types, such as the following are also accepted: </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADUser </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADComputer </maml:para><maml:para>Microsoft.ActiveDirectory.Management.ADServiceAccount </maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><maml:alertSet><maml:title /><maml:alert><maml:para>This cmdlet does not work with an Active Directory Snapshot. </maml:para><maml:para>This cmdlet does not work with a read-only domain controller. </maml:para></maml:alert><maml:alert></maml:alert></maml:alertSet><command:examples><command:example><maml:title> -------------------------- EXAMPLE 1 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Unlock-ADAccount -Identity KimAb </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Unlocks the account with SamAccountName: KimAb. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title> -------------------------- EXAMPLE 2 -------------------------- </maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>C:\PS>Unlock-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" </dev:code><dev:remarks><maml:para>Description </maml:para><maml:para>----------- </maml:para><maml:para>Unlocks the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM". </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/p/?linkid=291136</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Clear-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Disable-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Enable-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Get-ADAccountAuthorizationGroup</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Search-ADAccount</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountControl</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountExpiration</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Set-ADAccountPassword</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> </helpItems> |