Assigns an OATH token to an Active Directory user.
Add-SystoLockOathTokenAssignment [-Force] [-Identifier] <String> [[-Pin] <String>] [[-RetainPassword] <Boolean>]
[-User] <Object> [-Address <ServiceAddress>] [-AuthType <NtdsAuthType>] [-DomainController <String>]
[-Timeout <Int32>] [<CommonParameters>]
Add-SystoLockOathTokenAssignment [-Force] [[-Pin] <String>] [[-RetainPassword] <Boolean>] [-Token] <OathToken>
[-User] <Object> [-Address <ServiceAddress>] [-AuthType <NtdsAuthType>] [-DomainController <String>]
[-Timeout <Int32>] [<CommonParameters>]
The Add-SystoLockOathTokenAssignment cmdlet assigns an OATH token to the Active Directory user. Returns an URI string representing a token assigned.
All cmdlets interacting with SystoLOCK service have -Address and -Timeout parameters to adjust their behavior.
You can also set $SystoLockAddress and $SystoLockTimeout PowerShell variables or $SystoLockAddress and $SystoLockTimeout environment variables which let you specify these parameters as defaults.
If no parameters or environment variables are specified, the timeout defaults to 3 seconds and the address is obtained from DNS for current domain and site.
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User 'CN=Alice,CN=Users,DC=company,DC=com' -Pin 123456
Assigns an OATH token specified by its identifier to a user specified by their distinguished name (DN) string.
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User Alice -Pin 123456
Assigns an OATH token to a user specified by their user account name.
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User 'alice@company.com' -Pin 123456
Assigns an OATH token to a user specified by their user principal name.
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User (Get-ADUser -Identity Alice).ObjectGuid -Pin 123456
Assigns an OATH token to a user specified by their global unique identifier (GUID).
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User (Get-ADUser -Identity Alice).SID -Pin 123456
Assigns an OATH token to a user specified by their security identifier (SID).
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User (Get-ADUser -Identity Alice).SamAccountName -Pin 123456
Assigns an OATH token to a user specified by their SAM account name.
Add-SystoLockOathTokenAssignment -Identifier GAKT000168DE -User (Get-ADUser -Identity Alice) -Pin 123456
Assigns an OATH token to a user specified by their Active Directory object.
Get-ADUser -Identity Alice | Add-SystoLockOathTokenAssignment -Token (New-SystoLockOathToken) -Pin 123456
Assigns an OATH token to a user specified by their Active Directory object as pipeline input object.
Get-SystoLockOathToken -Identifier GAKT000168DE | Add-SystoLockOathTokenAssignment -User $user -Pin 123456
Assigns an OATH token provided as pipeline input object to a user specified by their Active Directory object object.
New-SystoLockOathToken | Add-SystoLockOathTokenAssignment -User Administrator -Force
Create a new OATH token and assign it to an administrative user.
Specifies service address (optional).
Accepts an URL, a host name or a Service structure returned by previous Get-SystoLockService call.
Type: ServiceAddress
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies authentication method to use with domain controller (optional).
The acceptable values for this parameter are: Kerberos and Negotiate.
The default method is Kerberos.
Possible values: Kerberos, Negotiate
Type: NtdsAuthType
Parameter Sets: (All)
Aliases:
Accepted values: Kerberos, Negotiate
Required: False
Position: Named
Default value: Kerberos
Accept pipeline input: False
Accept wildcard characters: False
Specifies domain controller name (optional).
Accepts a domain name, a fully qualified domain name or an IP address of the domain controller.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Forces the command to create an assignment even if the user is the last member of the Administrators group or has no UPN defined.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Token ID or URL.
Type: String
Parameter Sets: Identifier
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies user PIN code.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
If set to $true, keeps current user password and does not enforce SmartCard only authentication account option.
If set to $false, enforces SmartCard only authentication account option even if user already has tokens assigned with password retention.
If value is not provided or set to $null the server will not enforce SmartCard only authentication account option if user already has one or more tokens with password retention set option to $true.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies timeout (range: 1 - 30 seconds, default: 3 seconds).
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies OathToken structure.
Type: OathToken
Parameter Sets: Token
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
Accepts user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object.
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Specifies OathToken structure.
Accepts user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object.
Contains user-token assignment information.
String Tokens: Array of user's token identifiers
String User: Active Directory user identifier
UserDN: user distinguished name.
Identifier: OATH token uniq identifier.
Class: token class.
Algorithm: OATH token algorithm.
IsActive: If value set to true indicating whether the token is active; otherwise $false.
LastUsed: the date in local time when token has last used.
Drift: numbers of token drift.
HasConstraints: If value set to true indicating whether the token has constrains; otherwise $false.
HasPin: If value set to true indicating whether the token has PIN; otherwise $false.
Token: OATH token object.
User: Active Directory user object.
Accepts a user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object to associate the user with a token.
Get-SystoLockOathTokenAssignment
Remove-SystoLockOathTokenAssignment