Get-QARSAccessTemplateLink
From PowerGUI Wiki
Retrieve Access Template Link objects from ActiveRoles Server. This cmdlet requires a connection to be established to the ActiveRoles Server Administration Service by supplying the Proxy parameter.
Contents |
Syntax
Get-QARSAccessTemplateLink [[-Identity] <IdentityParameter>] [-ObjectAttributes <Object>] [-ldapFilter <String>] [-PageSize <Int32>] [-SizeLimit <Int32>] [-DirectoryObject <IdentityParameter[]>] [-Trustee <IdentityParameter[]>] [-AccessTemplate <IdentityParameter[]>] [-Enabled] [-Disabled] [-Predefined [<Boolean>]] [-AppliedTo <ATLinkFlags>] [-Description <String>] [-SynchronizedToAD [<Boolean>]] [-Proxy] [-Service <String>] [-ConnectionAccount <String>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Connection <ArsConnection>] [-UseGlobalCatalog] [<CommonParameters>]
Detailed Description
Use this cmdlet to retrieve ActiveRoles Server Access Template Link objects (also referred to as Access Template links) that meet the conditions you specify. Each Access Template link contains information on how a certain Access Template is applied to determine access rights of a certain security principal (Trustee) on a certain directory object (securable object). Access Template Link objects can be used as input to *-QARSAccessTemplateLink cmdlets for managing Access Template link data. For background information about Access Templates, see ActiveRoles Server Administrator Guide.
The cmdlet has optional parameters that determine the server and the security context for the operation. The connection parameters could be omitted since a connection to a server is normally established prior to using this cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Note that this cmdlet requires a connection to the ActiveRoles Server Administration Service, so the Proxy parameter must be used to establish a connection.
Related Commands
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Identity | If you want the cmdlet to retrieve a single Access Template Link object by name, specify the name, canonical name, or distinguished name (DN) of the respective AT Link object (located in the 'Configuration/AT Links' container in the ActiveRoles Server Configuration namespace). If you want to search for AT Links by other properties, omit this parameter. | false | true (ByValue, ByPropertyName) | |
| ObjectAttributes | Specify an associative array that defines the Access Template link attributes to search. The array syntax:
@{attr1='val1';attr2='val2';...} In this syntax, each of the key-value pairs is the LDAP display name and the value of an attribute to search. A value may include an asterisk character - a wildcard representing any group of characters. For information about associative arrays, type the following command at the PowerShell command-prompt: help about_associative_array | false | false | |
| ldapFilter | Specify the LDAP search filter that defines your search criteria. Note that the search filter string is case-sensitive.
The cmdlet disregards this parameter if an Identity value is supplied. If you want this parameter to have effect, do not supply any Identity value on the command line. With the LdapFilter parameter, the cmdlet disregards the attribute-specific parameters. If you want to define search criteria based on specific attributes, do not supply LdapFilter on the command line. | false | false | |
| PageSize | Set the maximum number of items in each page of the search results that will be returned by the cmdlet. After the directory server has found the number of objects that are specified by this parameter, it will stop searching and return the results to the cmdlet. When the cmdlet requests more data, the server will restart the search where it left off. You can use this setting to adjust the number of requests (network calls) to the directory server issued by the cmdlet during a search.
Normally, the default page size is 50. You can view or modify this default setting by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively. | false | false | |
| SizeLimit | Set the maximum number of items to be returned by the cmdlet. Normally, the default size limit is 1000. You can view or modify this default setting by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively. | false | false | |
| DirectoryObject | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object for the cmdlet to retrieve Access Template links that determine ActiveRoles Server security settings on that object. | false | false | |
| Trustee | Specify the identity (such as name, distinguished name, domain\name, etc.) of a security principal object (such as user or group) for the cmdlet to retrieve Access Template links that determine access rights given to that object in ActiveRoles Server. | false | false | |
| AccessTemplate | Specify the identity (such as name, distinguished name, etc.) of an Access Template for the cmdlet to retrieve Access Template links that apply the Access Template specified. | false | false | |
| Enabled | Supply this parameter for the cmdlet to retrieve only those Access Template links that are configured to have effect in ActiveRoles Server (enabled links). | false | false | |
| Disabled | Supply this parameter for the cmdlet to retrieve only those Access Template links that are configured to have no effect in ActiveRoles Server (disabled links). | false | false | |
| Predefined | Set the value of this parameter to 'true' for the cmdlet to retrieve only those Access Template links that are marked "predefined" in ActiveRoles Server. The predefined Access Template links are installed with ActiveRoles Server, and cannot be modified or deleted. | false | false | |
| AppliedTo | This parameter causes the cmdlet to retrieve only those Access Template links that have specific settings for permission inheritance. Valid parameter values are:
'This' - Indicates no inheritance. The Access Template link information is only used on the object to which the Access Template is applied. Access Template link information is not inherited by any descendents of the object. 'ThisObjectAndAllChildObjects' - Indicates inheritance that includes the object to which the Access Template is applied, the object's immediate children, and the descendents of the object's children. 'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children. 'AllChildObjects' - Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself. 'ImmediateChildObjects' - Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children. | false | false | |
| Description | Specify the description (or a part of description) of Access Template links you want the cmdlet to retrieve. | false | false | |
| SynchronizedToAD | Set the value of this parameter to 'true' for the cmdlet to retrieve only those Access Template links that are configured with the option to propagate permission settings to Active Directory. If you want the cmdlet to retrieve only those links that do not propagate permission settings to Active Directory, set the value of this parameter to 'false'. | false | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | true (ByValue) | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false |
Examples
Example 1
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink | format-List DirectoryObject, AccessTemplate, Trustee
Connect to any available Administration Service and, for every Access Template link, list the distinguished names of the following entities:
Directory object. The securable object to which the given link
applies an Access Template.
Access Template. The Access Template that is applied
by the given link.
Trustee. The security principal whose access rights
on the securable object are specified
by the given link.
Namely, this command retrieves and displays the values of the DirectoryObject, AccessTemplate, and Trustee properties of the objects returned by the cmdlet.
Example 2
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AR Server Security - Active Directory Container'| format-List DirectoryObject
Given the name of an Access Template, list all objects on which the Access Template determines security settings (for each link that is based on that Access Template, list the securable object to which the link is applied). This command retrieves and displays the value of the DirectoryObject property of the objects returned by the cmdlet.
Example 3
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AR Server Security - Active Directory Container'| format-List Trustee
Given the name of an Access Template, list all objects that have their access rights defined by using the given Access Template (for each link that is based on that Access Template, list the security principal to which the link points). This command retrieves and displays the value of the Trustee property of the objects returned by the cmdlet.
Example 4
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink –Trustee 'domainName\groupName' | format-List DirectoryObject, AccessTemplate
Given the pre-Windows 2000 name of a group, list all the Access Templates that determine access rights of that group (find all Access Template links that have the given group set as the security principal, and then, for every such link, list the Access Template on which the link is based and the securable object to which the link is applied).
Example 5
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink –DirectoryObject 'Configuration/Managed Units/ManagedUnitName' | format-List Trustee, AccessTemplate
Given the name of an ActiveRoles Server Managed Unit (MU), list all the Access Templates that determine security settings on that MU (find all Access Template links that have the given MU set as the securable object, and then, for every such link, list the Access Template on which the link is based and the security principal to which the link points).
Example 6
connect-QADService -Proxy
C:\PS>get-QADObject -SearchRoot 'OrganizationalUnitName' | %{get-QARSAccessTemplateLink -DirectoryObject $_ –SynchronizedToAD $true | format-List AccessTemplate, DirectoryObject}
For a given organizational unit (OU), list the objects in that OU that have native Active Directory permission settings defined by using any Access Template (find all the Access Templates linked to any object in the OU with the option to synchronize the resulting permission settings to Active Directory).
Example 7
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AccessTemplateName' -DirectoryObject 'OrganizationalUnitName' -Predefined $false | remove-QARSAccessTemplateLink -Confirm
Given the name of an Access Template and the name of an organizational unit (OU), remove all security settings on that OU that are determined by that Access Template (remove all links that are based on the given Access Template and applied to the given OU).
Example 8
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AccessTemplateName' -Trustee 'domainName\groupName' -Predefined $false | remove-QARSAccessTemplateLink -Confirm
Given the name of an Access Template and the pre-Windows 2000 name of a group, revoke all access rights from that group that are defined by using that Access Template (remove all links that are based on the given Access Template and point to the given group).
