Returns a token assignment information.
Get-SystoLockAssignment [[-Identifier] <String>] [-ResolveUser] [-Address <ServiceAddress>]
[-AuthType <NtdsAuthType>] [-DomainController <String>] [-Timeout <Int32>]
[-ProgressAction <ActionPreference>] [-IncludeTotalCount] [-Skip <UInt64>] [-First <UInt64>]
[<CommonParameters>]
Get-SystoLockAssignment [-Filter] <String> [-ResolveUser] [-Address <ServiceAddress>]
[-AuthType <NtdsAuthType>] [-DomainController <String>] [-Timeout <Int32>]
[-ProgressAction <ActionPreference>] [-IncludeTotalCount] [-Skip <UInt64>] [-First <UInt64>]
[<CommonParameters>]
Get-SystoLockAssignment [-ResolveUser] -User <Object> [-Address <ServiceAddress>] [-AuthType <NtdsAuthType>]
[-DomainController <String>] [-Timeout <Int32>] [-ProgressAction <ActionPreference>] [-IncludeTotalCount]
[-Skip <UInt64>] [-First <UInt64>] [<CommonParameters>]
The Get-SystoLockAssignment cmdlet returns the token assignment information.
In case of by-user call all tokens assigned to the user are returned.
Filtering fields
Algorithm: OTP algorithm identifier (HOTP, TOTP)
Class: Token class (hardware or software)
NotAfter: Usage end date of the token
NotBefore: Usage start date of the token
NumberOfTransactions: Maximum number of times the token can be used
FriendlyName: Token friendly name
Identifier: Token unique identifier
Interval: Time interval value for time-based OTP algorithms, in seconds
Manufacturer: Token manufacturer name
Model: Token model name
ResponseLength: Length of the resulting one-time password
DisableTime: Value indicating when the token was disabled
Drift: Value indicating time drift for time-based tokens
LastTimeUsed: Value indicating token last usage time
LockTime: Value indicating when the token was locked
PerformedTransactions: Value indicating the number of successfully performed transactions
User: Identifier of a user this token is assigned to
IssueNumber: Token issue number
Filtering operators
Present: Represents a 'present' comparison, such as 'answer -eq *'
Absent: Represents a 'absent' comparison, such as 'answer -ne *' or '-not answer -eq *'
Equal (==, -eq): Represents an equality comparison, such as 'answer -eq 42'
LessThanOrEqual (<=, -le): Represents the 'less than or equal' comparison, such as 'answer -le 42'
GraterThanOrEqual (>=, -ge): Represents the 'grater than or equal' comparison, such as 'answer -ge 42'
NotEqual (!=, <>, -ne): Represents an inequality comparison, such as 'answer -ne 42'
LessThan (<, -lt): Represents the 'less than ' comparison, such as 'answer -lt 42'
GraterThan (>, -gt): Represents the 'grater than' comparison, such as 'answer -gt 42'
Approx (~=, -approx): Represents the 'approximately equal to' comparison, such as 'name ~= joe'
BinaryOr (|, -bor): Represents the 'bitwise or' operation, such as 'answer | 42'
BinaryAnd (&, -band): Represents the 'bitwise and' operation, such as 'answer -band 42'
RecursiveMatch (-recursivematch): Represents the recursive match equality operation, such as '1.2.840.113556.1.4.1941' matching rule in NTDS
Like (~, -like): Represents the 'like' equality comparison, which is similar to Equal but supports wildcard comparison with '*'
NotLike (!~, -nlike, -notlike) : Represents the 'not like' inequality comparison, which is similar to NotEqual but supports wildcard comparison with '*'
And (&&, -and) : Represents the 'and' join operator, such as 'answer -le 100 -and answer -ge 50'
Or (||, -or) : Represents the 'or' join operator, such as 'answer -ge 100 -or answer -le 50'
Not (!, -not) : Represents the 'not' negation operator, such as '-not answer -ge 100'
All cmdlets interacting with SystoLock service have -Address and -Timeout parameters to adjust their behavior.
You can also set $SystoLockAddress and $SystoLockTimeout PowerShell variables or $SystoLockAddress and $SystoLockTimeout environment variables which let you specify these parameters as defaults.
If no parameters or environment variables are specified, the timeout defaults to 3 seconds and the address is obtained from DNS for current domain and site.
Get-SystoLockAssignment -Identifier GAKT000168DE
Returns a token assignment by a token ID.
Get-SystoLockAssignment -User 'CN=Alice,CN=Users,DC=company,DC=com'
Returns a token assignment by user distinguished name.
Get-SystoLockAssignment -User Alice
Returns a token assignment by user name.
Get-SystoLockAssignment -User 'company.com\Alice'
Returns a token assignment by user SAM account name.
Get-SystoLockAssignment -User 'Alice@company.com'
Returns a token assignment by user principal name.
Get-SystoLockAssignment -User (Get-ADUser Alice).ObjectGuid
Returns a token assignment by user GUID.
Get-SystoLockAssignment -User (Get-ADUser Alice).SID
Returns a token assignment by user SID.
Get-SystoLockAssignment -User (Get-ADUser -Identity Alice)
Returns a token assignment by ADUser object.
Get-SystoLockAssignment -First 5 -Skip 1
Returns assignments using paging parameters.
Get-SystoLockAssignment -Filter 'Identifier -like GAKT*'
Retrieves the assignment of a token through a filter.
Specifies service address (optional).
Accepts an URL, a host name or a Service structure returned by previous Get-SystoLockService call.
Type: ServiceAddress
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Specifies authentication method to use with domain controller (optional).
The acceptable values for this parameter are: Kerberos and Negotiate.
The default method is Kerberos.
Possible values: Kerberos, Negotiate
Type: NtdsAuthType
Parameter Sets: (All)
Aliases:
Accepted values: Kerberos, Negotiate
Required: False
Position: Named
Default value: Kerberos
Accept pipeline input: False
Accept wildcard characters: False
Specifies domain controller name (optional).
Accepts a domain name, a fully qualified domain name or an IP address of the domain controller.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Allows objects to be filtered (default expression: 'Identifier -eq *').
Type: String
Parameter Sets: Filter
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Token ID or URL.
Type: String
Parameter Sets: Identifier
Aliases:
Required: False
Position: 0
Default value: *
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Determines if the cmdlet should resolve user information from Active Directory.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Specifies timeout (range: 1 - 30 seconds, default: 3 seconds).
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accepts user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object.
Type: Object
Parameter Sets: User
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
Reports the total number of objects in the data set (an integer) followed by the selected objects.
If the cmdlet cannot determine the total count, it displays "Unknown total count." The integer has an Accuracy property that indicates the reliability of the total count value.
The value of Accuracy ranges from 0.0 to 1.0 where 0.0 means that the cmdlet could not count the objects, 1.0 means that the count is exact, and a value between 0.0 and 1.0 indicates an increasingly reliable estimate.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Ignores the specified number of objects and then gets the remaining objects.
Enter the number of objects to skip.
Type: UInt64
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Gets only the specified number of objects.
Enter the number of objects to get.
Type: UInt64
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Allows objects to be filtered (default expression: 'Identifier -eq *').
Token ID or URL.
Determines if the cmdlet should resolve user information from Active Directory.
Accepts user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object.
Represents user-token assignment information.
String[] Tokens: Array of user's token identifiers
String User: Active Directory user identifier
Accepts a user name, distinguished name, principal name, SAM account name, GUID, SID or ADUser object to associate the user with a token.