Skip to content

Latest commit

 

History

History
144 lines (112 loc) · 4.1 KB

Add-AdmPwdPdsSidMapping.md

File metadata and controls

144 lines (112 loc) · 4.1 KB
external help file Module Name schema
AdmPwd.PS.dll-Help.xml
AdmPwd.PS
2.0.0

Add-AdmPwdPdsSidMapping

SYNOPSIS

Adds mapping of SIDs from untrusted forest to SID from PDS forest.

SYNTAX

Pds

Add-AdmPwdPdsSidMapping [-Pds] <PdsEndpoint> [-PrimarySid] <SecurityIdentifier>
 [-MappedSid] <SecurityIdentifier> [[-Description] <String>] [<CommonParameters>]

PdsName

Add-AdmPwdPdsSidMapping [-PdsName] <String> [-PrimarySid] <SecurityIdentifier>
 [-MappedSid] <SecurityIdentifier> [[-Description] <String>] [<CommonParameters>]

DESCRIPTION

PDS supports management of untrusted forests. However, for management of untrusted forests, the following prerequisites must be configured:

  • Explicit credentials for PDS to use when accessing intrusted forest
  • Mapping of SID from untrusted forest to SIDs from PDS forests.

SID mappings are used for access control - User who wants to read or reset password must have his/her own SID (own SID or SID of group he/she is member of) 'paired' with SID that has been delegated the permission for password read/reset in untrusted forest. SID mapping is used to establish this pairing of SIDs.

For management of untrusted forest connection credentials, see command Add-AdmPwdPdsSupportedForest

EXAMPLES

Example 1

# bring Primary SID from untrusted forest
$primarySid=New-Object System.Security.Principal.SecurityIdentifier('S-1-5-21-418581132-3576222476-795453013-1653')
# Construct mapped SID from PDS forest
$mappedUser=New-Object System.Security.Principal.NTAccount('MyDomain\MyUser')
$mappedSid=$mappedUser.Translate([System.Security.Principal.SecurityIdentifier])
# Configure mapping on all PDS instances
Get-AdmPwdPds | Add-AdmPwdPdsSidMapping -PrimarySid $primarySid -MappedSid $mappedSid -Description 'Mapped SID from untrusted managed forest'

Gets list of all PDS instances discovered and adds definition SID mapping.

PARAMETERS

-Pds

Instance of PDS as returned by Get-AdmPwdPds command

Type: PdsEndpoint
Parameter Sets: Pds
Aliases:

Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-PdsName

Name of instance of PDS - DNS name of machine hosting PDS service

Type: String
Parameter Sets: PdsName
Aliases:

Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-PrimarySid

Sid from untrusted forest. This is SID of principal that is delegated permission to read/reset password in untrusted forest.

Type: SecurityIdentifier
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-MappedSid

Sid of principal from PDS forest that is paired to primary SID when PDS performs access checks. Requestor of password read/reset operation must have this SID in his security token so as it's mapped to Primary SID.

Type: SecurityIdentifier
Parameter Sets: (All)
Aliases:

Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Description

Description of SID mapping being added.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

AdmPwd.Types.PdsEndpoint

System.Security.Principal.SecurityIdentifier

System.String

OUTPUTS

NOTES

Caller has to be member of PDS administrators role. If not a member, Access Denied error is returned.

RELATED LINKS