Creates a copy of an NFC token with a derived card serial number.
Copy-SystoLockNfcToken [-Id] <String[]> [-Tweak] <String> [-Address <ServiceAddress>]
[-AuthType <NtdsAuthType>] [-DomainController <String>] [-Timeout <Int32>] [-WhatIf]
[<CommonParameters>]
Copy-SystoLockNfcToken [[-InputObject] <ProximityToken>] [-Tweak] <String> [-Address <ServiceAddress>]
[-AuthType <NtdsAuthType>] [-DomainController <String>] [-Timeout <Int32>] [-WhatIf]
[<CommonParameters>]
The Copy-SystoLockNfcToken cmdlet creates a new NFC token by copying the source token's properties and replacing
the card serial number (UID/CSN) with a derived value.
The new token receives a fresh unique identifier. The assignment and creation time are not carried over.
The -Tweak parameter is polymorphic and controls how the tweak value is resolved:
computername — resolves the named Active Directory computer account and uses its object GUID as the tweak value.computername:guid.computername:guid — uses the AD computer's object GUID (default attribute).computername:sid — uses the AD computer's security identifier (SID).computername:name — uses the AD computer's common name (CN, without the trailing $).If the value before : is not found as a computer account in Active Directory, the full string is treated as a
bare tweak value. The disable keywords used by the client-side UID tweak configuration (-, 0, off, none,
false, disable) are not accepted and cause a parameter error.
Note: This is an advanced command intended for scenarios where the same physical card must authenticate
against multiple independent users.
All cmdlets interacting with SystoLOCK service have -Address and -Timeout parameters to adjust their behavior.
You can also set $SystoLockAddress and $SystoLockTimeout PowerShell variables or $SystoLockAddress and $SystoLockTimeout environment variables which let you specify these parameters as defaults.
If no parameters or environment variables are specified, the timeout defaults to 3 seconds and the address is obtained from DNS for current domain and site.
Copy-SystoLockNfcToken -Id YSNF000168DD -Tweak WORKSTATION01
Creates a copy of token YSNF000168DD with the serial number derived using the GUID of AD computer
WORKSTATION01. Returns the new token object.
Copy-SystoLockNfcToken -Id YSNF000168DD -Tweak WORKSTATION01:sid
Creates a copy with the serial number derived using the SID of AD computer WORKSTATION01.
Copy-SystoLockNfcToken -Id YSNF000168DD -Tweak WORKSTATION01:name
Creates a copy with the serial number derived using the computer name WORKSTATION01 as a literal string.
Copy-SystoLockNfcToken -Id YSNF000168DD -Tweak 'my-custom-tweak'
Creates a copy with the serial number derived using the bare string my-custom-tweak as the tweak value.
Get-SystoLockNfcToken -Id YSNF000168DD | Copy-SystoLockNfcToken -Tweak WORKSTATION01
Creates a copy of the specified token using input from the pipeline. The new token is registered on the
server.
Specifies service address (optional).
Accepts an URL, a host name or a Service structure returned by previous Get-SystoLockService call.
Type: ServiceAddress
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies authentication method to use with domain controller (optional).
The acceptable values for this parameter are: Kerberos and Negotiate.
The default method is Kerberos.
Possible values: Kerberos, Negotiate
Type: NtdsAuthType
Parameter Sets: (All)
Aliases:
Accepted values: Kerberos, Negotiate
Required: False
Position: Named
Default value: Kerberos
Accept pipeline input: False
Accept wildcard characters: False
Specifies domain controller name (optional).
Accepts a domain name, a fully qualified domain name or an IP address of the domain controller.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies token identifiers.
Type: String[]
Parameter Sets: Id
Aliases: Identifier
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
Specifies the token objects to be processed.
Type: ProximityToken
Parameter Sets: InputObject
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
Specifies timeout (range: 1 - 30 seconds, default: 3 seconds).
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies the tweak value used to derive the new card serial number.
Accepted forms:
computername — AD computer GUID (default attribute).computername:guid — AD computer GUID (explicit).computername:sid — AD computer SID.computername:name — AD computer CN (without trailing $).The disable keywords -, 0, off, none, false, and disable are not accepted.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Specifies one or more NFC tokens by token identifier.
Specifies NFC token object to be processed.
The new NFC token object created by copying the source token and applying the specified tweak to derive a new card serial number.
Identifier: token identifier.
AssignedTo: Distinguished name of a user the token is assigned to.
Algorithm: NFC token algorithm.
Type: NFC token type.
FriendlyName: token friendly name.
HasConstraints: A boolean value indicating that a token has constraints, such as lifetime or limited number of transactions allowed.
LastUsed: the time when the current token was last used.
PerformedTransactions: the number of times token has been used.
NumberOfTransactions: Maximum number of times the token is allowed to be used.
IsActive: A boolean value indicating whether the token is active, e.g. is not disabled or locked.
DisabledOn: the time when the current token has been disabled.
LockedOn: the time when the current token has been locked.
CreationTime: the time when the current token has been created.
NotAfter: the time after which the token is no longer valid.
NotBefore: the time before which the token is not yet valid.
PinlessLogin: if configured, contains PIN-less configuration properties.
This is an advanced command. The derived serial number is computed as HMAC-SHA1(key=UID, data=tweak)[0..9],
matching the algorithm used by CardUidTweakConfiguration on the client side. The client-side registry policy
must be configured with a matching tweak before users are enrolled against the copied token, otherwise
authentication will fail.