Security Focus: Use PowerShell to List Authentication Policy Silo Members

A while back, I wrote a couple of posts on implementing Authentication Policies and Authentication Policy Silos.

Authentication Policy Silos


We can use an Authentication Policy Silo to restrict the authentication scope of high privileged users, e.g. user A can only authenticate against server A and server B... if they try and logon somewhere else, they get a 'computer-says-no' message.


How to use PowerShell to list Authentication Policy Members, i.e. the users, computers and service accounts in scope of the silo?


Exhibit A

(Get-ADAuthenticationPolicySilo -Identity "Tier_0_Auth_Pol_Silo").Members


Exhibit B

(Get-ADAuthenticationPolicySilo -Identity "Tier_0_Auth_Pol_Silo").Members | ForEach-Object {

    Get-ADObject -Identity $_ -Properties msDS-AssignedAuthNPolicySilo | Select Name,msDS-AssignedAuthNPolicySilo




Right, I'm off to watch some open-air Shakespeare. Who knows what the bard would've made of Authentication Policy Silo members!

Comments (0)

Skip to main content