Share via


Security Focus: Use PowerShell to List Authentication Policy Silo Members

A while back, I wrote a couple of posts on implementing Authentication Policies and Authentication Policy Silos.

Authentication Policy Silos

 

We can use an Authentication Policy Silo to restrict the authentication scope of high privileged users, e.g. user A can only authenticate against server A and server B... if they try and logon somewhere else, they get a 'computer-says-no' message.

 

How to use PowerShell to list Authentication Policy Members, i.e. the users, computers and service accounts in scope of the silo?

 

Exhibit A

 
(Get-ADAuthenticationPolicySilo -Identity "Tier_0_Auth_Pol_Silo").Members

 

Exhibit B

 
(Get-ADAuthenticationPolicySilo -Identity "Tier_0_Auth_Pol_Silo").Members | ForEach-Object {

    Get-ADObject -Identity $_ -Properties msDS-AssignedAuthNPolicySilo | Select Name,msDS-AssignedAuthNPolicySilo

}

 
Capture171

 

Right, I'm off to watch some open-air Shakespeare. Who knows what the bard would've made of Authentication Policy Silo members!