Assigns a token to an Active Directory user.
Add-SystoLockAssignment [[-Pin] <String>] [-Identifier] <String> [-User] <Object> [[-RetainPassword] <Boolean>]
[-Address <ServiceAddress>] [-AuthType <NtdsAuthType>] [-DomainController <String>] [-Timeout <Int32>]
[<CommonParameters>]
Add-SystoLockAssignment [[-Pin] <String>] [-Token] <OathToken> [-User] <Object> [[-RetainPassword] <Boolean>]
[-Address <ServiceAddress>] [-AuthType <NtdsAuthType>] [-DomainController <String>] [-Timeout <Int32>]
[<CommonParameters>]
Assigns a token to an Active Directory user.
Returns URI string representing a token assigned.
All cmdlets interacting with SystoLock service have -Address and -Timeout parameters to adjust their behavior.
You can also set $systolockaddress and $systolocktimeout PowerShell variables or SLOCKADDRESS and SLOCKTIMEOUT environment variables which let you specify these parameters as defaults.
If no parameters or environment variables are specified, the timeout defaults to 3 seconds and the address is obtained from DNS for current domain and site.
Add-SystoLockAssignment -Identifier GAKT000168DE -User 'CN=Alice,CN=Users,DC=company,DC=com' -Pin 123456
Assigning a token to a user, specifying user's DN.
Add-SystoLockAssignment -Identifier GAKT000168DE -User Alice -Pin 123456
Assigning a token to a user, specifying user's login name or UPN.
$guid = [System.Guid]("1612287D-FCE7-44C2-9825-2DE526E04C02")
Assigning a token to a user, specifying user's GUID.
$sid = [System.Security.Principal.SecurityIdentifier]("S-1-5-21-1454471165-1004335555-1606985555-5555")
Assigning a token to a user, specifying user's SID.
$user = Get-ADUser -Identity Alice
Assigning a token to a user, specifying an ADUser object.
Get-ADUser -Identity Alice | Add-SystoLockAssignment -Token (New-SystoLockToken) -Pin 123456
Pipe processing.
Assigns a newly generated token to an Active Directory user
Get-SystoLockToken -Identifier GAKT000168DE | Add-SystoLockAssignment -User (Get-ADUser Alice) -Pin 123456
Pipe processing.
Assigns an existing token to an Active Directory user
Service address (optional).
You can pass an URL, a host name or a Service structure returned by previous Get-SystoLockService call.
Type: ServiceAddress
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Authentication method to use with domain controller (optional).
The acceptable values for this parameter are: Kerberos and Negotiate.
The default authentication method is Kerberos.
Possible values: Kerberos, Negotiate
Type: NtdsAuthType
Parameter Sets: (All)
Aliases:
Accepted values: Kerberos, Negotiate
Required: False
Position: Named
Default value: Kerberos
Accept pipeline input: False
Accept wildcard characters: False
Domain controller name (optional).
You can pass a domain name, a fully qualified domain name or an IP address of the domain controller.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Token ID or URL.
Type: String
Parameter Sets: Identifier
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
PIN code.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
If set to $true, keeps current user password and does not enforce SmartCard only authentication account option.
If set to $false, enforces SmartCard only authentication account option even if user already has tokens assigned with password retention.
If value is not provided or set to $null the server will not enforce SmartCard only authentication account option if user already has one or more tokens with password retention set option to $true.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Timeout (range: 1 - 30 seconds, default: 3 seconds).
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
OathToken structure.
Type: OathToken
Parameter Sets: Token
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
User name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object.
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
PIN code.
OathToken structure.
Token ID or URL.
User name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object.
If set to $true, keeps current user password and does not enforce SmartCard only authentication account option.
If set to $false, enforces SmartCard only authentication account option even if user already has tokens assigned with password retention.
If value is not provided or set to $null the server will not enforce SmartCard only authentication account option if user already has one or more tokens with password retention set option to $true.
Represents user-token assignment information.
String[] Tokens: Array of user's token identifiers
String User: Active Directory user identifier
You can pass a user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object to associate the user with a token.