{"id":2400,"date":"2013-12-17T00:01:00","date_gmt":"2013-12-17T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/12\/17\/use-powershell-to-work-with-rodc-accounts\/"},"modified":"2013-12-17T00:01:00","modified_gmt":"2013-12-17T00:01:00","slug":"use-powershell-to-work-with-rodc-accounts","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-work-with-rodc-accounts\/","title":{"rendered":"Use PowerShell to Work with RODC Accounts"},"content":{"rendered":"

Summary<\/strong>: Microsoft premier field engineer, Ian Farr, talks about using Windows PowerShell to work with RODC accounts.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Today I would like to introduce a new guest blogger, Ian Farr. Ian tells us about himself:<\/p>\n

I started out writing UNIX shell scripts to automate simple tasks. Then as a Windows IT pro, I discovered VBScript, and it ignited a passion for automation. Over the years, I’ve used batch files, KiXtart, JScript, HTAs, Perl, JavaScript, and Python. I love solving problems with scripts, and I’ve written code for several large enterprise environments. I now work as a premier field engineer at Microsoft, teaching Windows PowerShell and helping my customers with their own scripts.<\/p>\n

Today, I’d like to share with you my function Get-ADRodcAuthenticatedNotRevealed.ps1<\/a>.<\/p>\n

One of my customers has a large number of Read-only domain controllers<\/a> (RODCs). Each one is configured (by using password replication policies) to only store the account credentials of specific low-privileged user and computer accounts. If an “allowed” account authenticates against its designated RODC, its credentials are cached on that RODC. The account is then added to the “revealed” list. If the RODC loses connectivity to the central site, it can still authenticate accounts in its revealed list.<\/p>\n

Of course, an RODC can authenticate accounts that are not in an applicable password replication policy. To do this, it must communicate with a Read-Write domain controller. All accounts that an RODC has authenticated, including those in the revealed list, can be found in the appropriately named authenticated list. By now, you’re probably thinking, “What does all of have to do with Windows PowerShell and scripting?”<\/p>\n

Hang on…I’m almost there.<\/p>\n

RODCs are most suited to branch office locations, so it’s reasonable to assume that each RODC has authenticated accounts from applicable allowed password replication policies. It’s also reasonable to assume that user and computer accounts that are not defined in a password replication policy may have been authenticated—for example, perhaps a roaming user has visited and plugged in their laptop to the LAN.<\/p>\n

You may also see authenticated accounts that are part of a “denied” password replication policy. Built-in privileged groups and accounts, by default, do not have their credentials stored on an RODC.<\/p>\n

Now to analyse specific RODC usage. How do you determine which accounts are stored in the “authenticated” list, but don’t appear in the “revealed” list?<\/p>\n

At last…some Windows PowerShell!<\/p>\n

I’ve published the Get-ADRodcAuthenticatedNotRevealed<\/a> function on the TechNet Script Center Repository. It will return account objects that are authenticated but not revealed.<\/p>\n

You could add the script to $profile<\/a>, so it is loaded to the PSDrive function (see Use PowerShell to Work Easily with Dives and Paths<\/a>) when Windows PowerShell opens. Or you can access it as needed by dot sourcing<\/a> the script file:<\/p>\n

. .\\Get-ADRodcAuthenticatedNotRevealed.ps1<\/p>\n

Here’s a suggested way to use the function:<\/p>\n

Get-ADDomainController -Filter {IsReadOnly -eq $True} | Get-ADRodcAuthenticatedNotRevealed <\/p>\n

Here, we get all of the RODCs from the domain that the user is currently logged in to and pipe them one-by-one into the function. This line could happily be part of a script that defines or references the function.<\/p>\n

We can just as easily pipe a hand-typed list of RODCs:<\/p>\n

“NINJARODC01”, “ninjarodc02” | Get-ADRodcAuthenticatedNotRevealed  <\/p>\n

Or the contents of a text file:<\/p>\n

Get-Content –Path rodc.txt | Get-ADRodcAuthenticatedNotRevealed <\/p>\n

By the way, this is the geeky way to get the contents of that file:<\/p>\n

${c:rodc.txt} | Get-ADRodcAuthenticatedNotRevealed  <\/p>\n

The Get-ADRodcAuthenticatedNotRevealed<\/strong> function processes each RODC that is passed down the pipeline with a Process<\/strong> script block. Script blocks are the building blocks of Windows PowerShell. They are recognized by those interesting curly braces you see everywhere: { }<\/strong>.<\/p>\n

Next, we compare the output of two cmdlets. The first cmdlet gets all authenticated accounts from the RODC currently in the pipeline:<\/p>\n

$AuthenticatedAccounts = Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity $Rodc -AuthenticatedAccounts<\/p>\n

The second gets all the revealed accounts:<\/p>\n

$RevealedAccounts = Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity $Rodc -RevealedAccounts<\/p>\n

Here’s the comparison:<\/p>\n

Comparison = Compare-Object -ReferenceObject $AuthenticatedAccounts -DifferenceObject $RevealedAccounts<\/p>\n

After the comparison is performed, we filter on those accounts that only appear in the reference object by using the side indicator output, “< =”<\/strong>, as shown here:<\/p>\n

$Results = $Comparison | Where-Object {$_.SideIndicator -eq “<=”} <\/p>\n

 Here’s what the $Comparison<\/strong> side indicators represent:<\/p>\n