Security Focus: Use PowerShell to List Authentication Policy Silo Members
A while back, I wrote a couple of posts on implementing Authentication Policies and Authentication Policy Silos.
We can use an Authentication Policy Silo to restrict the authentication scope of high privileged users, e.g. user A can only authenticate against server A and server B... if they try and logon somewhere else, they get a 'computer-says-no' message.
How to use PowerShell to list Authentication Policy Members, i.e. the users, computers and service accounts in scope of the silo?
Exhibit A
(Get-ADAuthenticationPolicySilo -Identity "Tier_0_Auth_Pol_Silo").Members
Exhibit B
(Get-ADAuthenticationPolicySilo -Identity "Tier_0_Auth_Pol_Silo").Members | ForEach-Object {
Get-ADObject -Identity $_ -Properties msDS-AssignedAuthNPolicySilo | Select Name,msDS-AssignedAuthNPolicySilo
}
Right, I'm off to watch some open-air Shakespeare. Who knows what the bard would've made of Authentication Policy Silo members!