Get-QARSAccessTemplateLink
From PowerGUI Wiki
Retrieve Access Template Link objects from ActiveRoles Server. This cmdlet requires a connection to be established to the ActiveRoles Server Administration Service by supplying the Proxy parameter.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Get-QARSAccessTemplateLink [[-Identity] <IdentityParameter>] [-AccessTemplate <IdentityParameter[]>] [-Activity <string>] [-Anr <string>] [-AppliedTo <ATLinkFlags>] [-AttributeScopeQuery <string>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Control <hashtable>] [-CreatedAfter <DateTime>] [-CreatedBefore <DateTime>] [-CreatedOn <DateTime>] [-Credential <PSCredential>] [-Description <string[]>] [-DirectoryObject <IdentityParameter[]>] [-Disabled] [-DisplayName <string[]>] [-DontConvertValuesToFriendlyRepresentation] [-DontUseDefaultIncludedProperties] [-Enabled] [-ExcludedProperties <string[]>] [-IncludeAllProperties] [-IncludedProperties <string[]>] [-LastChangedAfter <DateTime>] [-LastChangedBefore <DateTime>] [-LastChangedOn <DateTime>] [-LdapFilter <string>] [-Name <string[]>] [-PageSize <int>] [-Predefined <Boolean>] [-ProgressThreshold <int>] [-Proxy] [-ReturnPropertyNamesOnly] [-SearchAttributes <Object>] [-SearchRoot <IdentityParameter[]>] [-SearchScope {Base | OneLevel | Subtree}] [-SerializeValues] [-Service <string>] [-ShowProgress] [-SizeLimit <int>] [-SynchronizedToAD <Boolean>] [-Trustee <IdentityParameter[]>] [-UseDefaultExcludedProperties <Boolean>] [-UseDefaultExcludedPropertiesExcept <string[]>] [-UseGlobalCatalog] [-WildcardMode <WildcardMode>] [<CommonParameters>]
Detailed Description
Use this cmdlet to retrieve ActiveRoles Server Access Template Link objects (also referred to as Access Template links) that meet the conditions you specify. Each Access Template link contains information on how a certain Access Template is applied to determine access rights of a certain security principal (Trustee) on a certain directory object (securable object). Access Template Link objects can be used as input to *-QARSAccessTemplateLink cmdlets for managing Access Template link data. For background information about Access Templates, see ActiveRoles Server Administrator Guide.
The cmdlet has optional parameters that determine the server and the security context for the operation. The connection parameters could be omitted since a connection to a server is normally established prior to using this cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Note that this cmdlet requires a connection to the ActiveRoles Server Administration Service, so the Proxy parameter must be used to establish a connection.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| AccessTemplate | Specify the identity (such as name, distinguished name, etc.) of an Access Template for the cmdlet to retrieve Access Template links that apply the Access Template specified. | false | false | |
| Activity | Use this parameter to specify the line of text above the progress bar which the cmdlet displays to depict the status of the running command in case of a lengthy operation. This text describes the activity whose progress is being reported (see also ShowProgress and ProgressThreshold). If this parameter is omitted, the name of the cmdlet is displayed above the progress bar. | false | false | |
| Anr | Specify a value to be resolved using ambiguous name resolution (ANR). Which attributes are included in an ANR search depends upon the Active Directory schema. Thus, in Windows Server 2003 based Active Directory, the following attributes are set for ANR by default:
Display-Name (displayName) Given-Name (givenName) Legacy-Exchange-DN (legacyExchangeDN) ms-DS-Additional-Sam-Account-Name (msDS-AdditionalSamAccountName) Physical-Delivery-Office-Name (physicalDeliveryOfficeName) Proxy-Addresses (proxyAddresses) RDN (name) SAM-Account-Name (sAMAccountName) Surname (sn) For instance, when you supply 'ann*' as the value of this parameter, the cmdlet searches for objects that have ann at the beginning of the value of at least one of the attributes listed above. | false | false | |
| AppliedTo | This parameter causes the cmdlet to retrieve only those Access Template links that have specific settings for permission inheritance. Valid parameter values are:
'This' - Indicates no inheritance. The Access Template link information is only used on the object to which the Access Template is applied. Access Template link information is not inherited by any descendents of the object. 'ThisObjectAndAllChildObjects' - Indicates inheritance that includes the object to which the Access Template is applied, the object's immediate children, and the descendents of the object's children. 'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children. 'AllChildObjects' - Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself. 'ImmediateChildObjects' - Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children. | false | false | |
| AttributeScopeQuery | Specify the LDAP display name of an attribute that has DN syntax (for example, "member" or "memberOf"). The cmdlet enumerates the Distinguished Name values of the attribute on the object specified by the SearchRoot parameter, and performs the search on the objects represented by the Distinguished Names. The SearchScope parameter has no effect in this case. The object to search must be specified by using the SearchRoot parameter rather than the Identity parameter. | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Control | Use this parameter to pass request controls (in-controls) to ActiveRoles Server as part of an operation request. In ActiveRoles Server, request controls are used to send extra information along with an operation request, to control how ActiveRoles Server performs the request.
The parameter value is a hash table that defines the names and values of the request controls to be passed to ActiveRoles Server. The parameter syntax is as follows: -Control @{<name> = <value>; [<name> = <value>] ...}
In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about ActiveRoles Server request controls, refer to ActiveRoles Server SDK documentation. | false | false | |
| CreatedAfter | Specify the lower boundary of the object creation date and time by which to filter objects found. The cmdlet returns only the objects that were created after the date and time specified. Supplying both CreatedAfter and CreatedBefore bounds a time interval for the objects' creation. If you supply only CreatedAfter, there is no upper boundary on the date. Parameter value is a DateTime object that specifies the date and time you want. | false | false | |
| CreatedBefore | Specify the upper boundary of the object creation date and time by which to filter objects found. The cmdlet returns only the objects that were created before the date and time specified. Supplying both CreatedAfter and CreatedBefore bounds a time interval for the objects' creation. If you supply only CreatedBefore, there is no lower boundary on the date. Parameter value is a DateTime object that specifies the date and time you want. | false | false | |
| CreatedOn | Specify the object creation date by which to filter objects found, searching for objects created within the date specified. This parameter is mutually exclusive with the CreatedAfter and CreatedBefore parameters. Parameter value is a DateTime object that specifies the date you want. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Description | Specify the description (or a part of description) of Access Template links you want the cmdlet to retrieve. | false | false | |
| DirectoryObject | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object for the cmdlet to retrieve Access Template links that determine ActiveRoles Server security settings on that object. | false | false | |
| Disabled | Supply this parameter for the cmdlet to retrieve only those Access Template links that are configured to have no effect in ActiveRoles Server (disabled links). | false | false | |
| DisplayName | Search by the 'displayName' attribute. | false | false | |
| DontConvertValuesToFriendlyRepresentation | This parameter causes the cmdlet to represent the Integer8 and OctetString attribute values "as is," without converting them to a user-friendly, human-readable form. If this parameter is omitted, the cmdlet performs the following data conversions:
- The values of the Integer8 attributes listed in the Integer8AttributesThatContainDateTimes array (see the parameter descriptions for the Get-QADPSSnapinSettings and Set-QADPSSnapinSettings cmdlets) are converted from IADsLargeInteger to DateTime - The values of the Integer8 attributes listed in the Integer8AttributesThatContainNegativeTimeSpans array (see the parameter descriptions for the Get-QADPSSnapinSettings and Set-QADPSSnapinSettings cmdlets) are converted from IADsLargeInteger to TimeSpan - The values of the other Integer8 attributes are converted from IADsLargeInteger to Int64 - The values of the OctetString attributes are converted from byte[] to BinHex strings Note: This parameter has an effect only on the properties of the output object that have the member type of NoteProperty. Such properties are normally added to the output object in order to provide access to the attribute values of the respective directory object that are loaded to the local memory cache but cannot be accessed by using properties of the base object (the object for which the output object serves as a wrapper). | false | false | |
| DontUseDefaultIncludedProperties | This parameter causes the cmdlet to load only a small set of attributes from the directory to the local memory cache (normally, this set is limited to objectClass and ADsPath). Other attributes are retrieved from the directory as needed when you use the cmdlet output objects to read attribute values. Thus, if you want only to count the objects that meet certain conditions (rather than examine values of particular attributes), then you can use this parameter to increase performance of your search. For examples of how to use this parameter, see documentation on the Get-QADUser cmdlet.
Note: If a cmdlet does not cache a particular attribute, then the output object returned by the cmdlet may not have a property that would provide access to the value of the attribute. | false | false | |
| Enabled | Supply this parameter for the cmdlet to retrieve only those Access Template links that are configured to have effect in ActiveRoles Server (enabled links). | false | false | |
| ExcludedProperties | Use this parameter to specify the attributes that you do not want the cmdlet to retrieve from the directory and store in the memory cache on the local computer. Supply a list of the attribute LDAP display names as the parameter value. By default, the cmdlet caches a certain pre-defined set of attributes, which you can view or modify by using the Get- or Set-QADPSSnapinSettings cmdlet, respectively. Using the ExcludedProperties parameter you can change this default behavior on an ad-hoc basis, in order to prevent certain attributes from being loaded. Another scenario involves the use of this parameter in conjunction with IncludeAllProperties in order to restrict the set of the cached attributes.
Note: If a cmdlet does not cache a particular attribute, then the output object returned by the cmdlet may not have a property that would provide access to the value of the attribute. | false | false | |
| Identity | If you want the cmdlet to retrieve a single Access Template Link object by name, specify the name, canonical name, or distinguished name (DN) of the respective AT Link object (located in the 'Configuration/AT Links' container in the ActiveRoles Server Configuration namespace). If you want to search for AT Links by other properties, omit this parameter. | false | true (ByValue, ByPropertyName) | |
| IncludeAllProperties | With this parameter, the cmdlet retrieves all attributes of the respective directory object (such as a User object), and stores the attribute values in the memory cache on the local computer. Attribute values can be read from the memory cache by using properties of the object returned by the cmdlet. Thus, when used in conjunction with the SerializeValues parameter, it allows an entire object to be exported from the directory to a text file. For examples of how to use this parameter, see documentation on the Get-QADUser or Get-QADObject cmdlet. | false | false | |
| IncludedProperties | Use this parameter to specify the attributes that you want the cmdlet to retrieve from the directory and store in the memory cache on the local computer. Supply a list of the attribute LDAP display names as the parameter value. By default, the cmdlet caches a certain pre-defined set of attributes, which you can view or modify by using the Get- or Set-QADPSSnapinSettings cmdlet, respectively. Using the IncludedProperty parameter you can direct the cmdlet to cache some attributes in addition to the default set.
Note: Caching an attribute guarantees that the value of the attribute can be read by using properties of the output object returned by the cmdlet. | false | false | |
| LastChangedAfter | Specify the lower boundary of the object modification date and time by which to filter objects found. The cmdlet returns only the objects that have last changed after the date and time specified. Supplying both LastChangedAfter and LastChangedBefore bounds a time interval for the objects' last change. If you supply only LastChangedAfter, there is no upper boundary on the date. Parameter value is a DateTime object that specifies the date and time you want. | false | false | |
| LastChangedBefore | Specify the upper boundary of the object modification date and time by which to filter objects found. The cmdlet returns only the objects that have last changed before the date and time specified. Supplying both LastChangedAfter and LastChangedBefore bounds a time interval for the objects' last change. If you supply only LastChangedBefore, there is no lower boundary on the date. Parameter value is a DateTime object that specifies the date and time you want. | false | false | |
| LastChangedOn | Specify the object modification date by which to filter objects found, searching for objects that have last changed within the date specified. This parameter is mutually exclusive with the LastChangedAfter and LastChangedBefore parameters. Parameter value is a DateTime object that specifies the date you want. | false | false | |
| LdapFilter | Specify the LDAP search filter that defines your search criteria. Note that the search filter string is case-sensitive.
The cmdlet disregards this parameter if an Identity value is supplied. If you want this parameter to have effect, do not supply any Identity value on the command line. If you supply the LdapFilter parameter along with attribute-specific parameters, then your search returns objects that meet the conditions defined by the LDAP filter and have the specified attributes set to the specified values. | false | false | |
| Name | Search by the 'name' attribute. | false | false | |
| PageSize | Set the maximum number of items in each page of the search results that will be returned by the cmdlet. After the directory server has found the number of objects that are specified by this parameter, it will stop searching and return the results to the cmdlet. When the cmdlet requests more data, the server will restart the search where it left off. You can use this setting to adjust the number of requests (network calls) to the directory server issued by the cmdlet during a search.
Normally, the default page size is 50. You can view or modify this default setting by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively. | false | false | |
| Predefined | Set the value of this parameter to 'true' for the cmdlet to retrieve only those Access Template links that are marked "predefined" in ActiveRoles Server. The predefined Access Template links are installed with ActiveRoles Server, and cannot be modified or deleted. | false | false | |
| ProgressThreshold | Use this parameter to specify a delay, in seconds, before the cmdlet displays a progress bar that depicts the status of the running command in case of a lengthy operation. If the running command finishes before the threshold time has elapsed, a progress bar does not appear. The default threshold time setting can be configured by using the Set-QADProgressPolicy cmdlet. | false | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ReturnPropertyNamesOnly | This parameter causes the cmdlet to list the names of the object attributes whose values the cmdlet retrieves from the directory and stores in the memory cache on the local computer. Thus, when used in conjunction with the IncludeAllProperties parameter, it lists the names of all attributes of the respective directory object (such as a User object). For examples of how to use this parameter, see documentation on the Get-QADUser or Get-QADObject cmdlet.
Note: Caching an attribute guarantees that the value of the attribute can be read by using properties of the output object returned by the cmdlet. If a particular attribute is not in the cache, the output object may not have a property that would provide access to the value of the attribute. | false | false | |
| SearchAttributes | Specify an associative array that defines the object attributes and values you want. The cmdlet searches for objects that have the specified attributes set to the specified values. Array syntax:
@{attr1='val1';attr2='val2';...} In this syntax, each of the key-value pairs is the LDAP display name and the value of an attribute to search. A value may include an asterisk character - a wildcard representing any group of characters. For information about associative arrays, type the following command at the PowerShell command-prompt: help about_associative_array | false | false | |
| SearchRoot | Specify the Distinguished Name, Canonical Name, or GUID of the container to search. By default, the cmdlet searches the entire sub-tree of which SearchRoot is the topmost object (sub-tree search). This default behavior can be altered by using the SearchScope parameter.
The search criteria are defined by the LdapFilter parameter value and the values of attribute-specific parameters. The cmdlet disregards this parameter if an Identity value is supplied. If you want this parameter to have effect, do not supply any Identity parameter value. | false | false | |
| SearchScope | Specify one of these parameter values:
'Base' - Limits the search to the base (SearchRoot) object. The result contains a maximum of one object. 'OneLevel' - Searches the immediate child objects of the base (SearchRoot) object, excluding the base object. 'Subtree' - Searches the whole sub-tree, including the base (SearchRoot) object and all its child objects. Normally, if this parameter is not supplied, the cmdlet performs a Subtree search. You can view or modify this default setting by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively. The following values are permitted for this object type. | false | false | |
| SerializeValues | This parameter causes the cmdlet to output an object whose properties store the attribute values of the respective directory object that are loaded to the local memory cache. The value returned by each property of the output object is represented as a string (serialized) so as to facilitate the export of the attribute values to a text file. Thus, when used in conjunction with the IncludeAllProperties parameter, this parameter allows an entire object to be exported from the directory to a text file. For examples of how to use this parameter, see documentation on the Get-QADUser cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ShowProgress | Supply this parameter if you want the cmdlet to display a progress bar that depicts the status of the running command in case of a lengthy operation. If this parameter is omitted, whether the cmdlet displays a progress bar depends upon the ShowProgress setting configured by using the Set-QADProgressPolicy cmdlet. | false | false | |
| SizeLimit | Set the maximum number of items to be returned by the cmdlet. Normally, the default size limit is 1000. You can view or modify this default setting by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively. | false | false | |
| SynchronizedToAD | Set the value of this parameter to 'true' for the cmdlet to retrieve only those Access Template links that are configured with the option to propagate permission settings to Active Directory. If you want the cmdlet to retrieve only those links that do not propagate permission settings to Active Directory, set the value of this parameter to 'false'. | false | false | |
| Trustee | Specify the identity (such as name, distinguished name, domain\name, etc.) of a security principal object (such as user or group) for the cmdlet to retrieve Access Template links that determine access rights given to that object in ActiveRoles Server. | false | false | |
| UseDefaultExcludedProperties | When set to 'true', this parameter causes the cmdlet not to load a certain pre-defined set of attributes from the directory to the local memory cache. This pre-defined set of attributes (referred to as "default excluded properties") can be viewed or modified by using the Get- or Set-QADPSSnapinSettings cmdlet, respectively. Normally, this parameter is used in conjunction with IncudeAllProperties to avoid retrieval of unnecessary data from the directory server, thereby increasing performance of the search operation performed by the cmdlet.
Note: If a cmdlet does not cache a particular attribute, then the output object returned by the cmdlet may not have a property that would provide access to the value of the attribute. | false | false | |
| UseDefaultExcludedPropertiesExcept | This parameter is deprecated, and has no effect. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| WildcardMode | Specify either 'PowerShell' or 'LDAP' as the parameter value. Normally, if this parameter is not supplied, the cmdlet assumes that WildcardMode is set to 'LDAP'. You can view or modify this default setting by using the Get- or Set-QADPSSnapinSettings cmdlet, respectively. The 'PowerShell' value causes the cmdlet to use PowerShell wildcards and quoting rules. Wildcards are processed on the client side, which may result in slow search performance.
For information about PowerShell wildcards and quoting rules, type the following commands at the PowerShell command-prompt: help about_wildcard help about_quoting_rule The 'LDAP' value causes the cmdlet to use LDAP wildcards (asterisks only) and LDAP quoting rules (backslash as the escape character). Wildcards are processed on the server side, which enables faster search results. | false | false |
Examples
EXAMPLE 1
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink | format-List DirectoryObject, AccessTemplate, Trustee
Description
Connect to any available Administration Service and, for every Access Template link, list the distinguished names of the following entities:
Directory object The securable object to which the given link
applies an Access Template.
Access Template The Access Template that is applied
by the given link.
Trustee The security principal whose access rights
on the securable object are specified
by the given link.
Namely, this command retrieves and displays the values of the DirectoryObject, AccessTemplate, and Trustee properties of the objects returned by the cmdlet.
EXAMPLE 2
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AR Server Security - Active Directory Container'| format-List DirectoryObject
Description
Given the name of an Access Template, list all objects on which the Access Template determines security settings (for each link that is based on that Access Template, list the securable object to which the link is applied). This command retrieves and displays the value of the DirectoryObject property of the objects returned by the cmdlet.
EXAMPLE 3
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AR Server Security - Active Directory Container'| format-List Trustee
Description
Given the name of an Access Template, list all objects that have their access rights defined by using the given Access Template (for each link that is based on that Access Template, list the security principal to which the link points). This command retrieves and displays the value of the Trustee property of the objects returned by the cmdlet.
EXAMPLE 4
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -Trustee 'domainName\groupName' | format-List DirectoryObject, AccessTemplate
Description
Given the pre-Windows 2000 name of a group, list all the Access Templates that determine access rights of that group (find all Access Template links that have the given group set as the security principal, and then, for every such link, list the Access Template on which the link is based and the securable object to which the link is applied).
EXAMPLE 5
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -DirectoryObject 'Configuration/Managed Units/ManagedUnitName' | format-List Trustee, AccessTemplate
Description
Given the name of an ActiveRoles Server Managed Unit (MU), list all the Access Templates that determine security settings on that MU (find all Access Template links that have the given MU set as the securable object, and then, for every such link, list the Access Template on which the link is based and the security principal to which the link points).
EXAMPLE 6
connect-QADService -Proxy
C:\PS>get-QADObject -SearchRoot 'OrganizationalUnitName' |
%{get-QARSAccessTemplateLink -DirectoryObject $_ -SynchronizedToAD $true |
format-List AccessTemplate, DirectoryObject}
Description
For a given organizational unit (OU), list the objects in that OU that have native Active Directory permission settings defined by using any Access Template (find all the Access Templates linked to any object in the OU with the option to synchronize the resulting permission settings to Active Directory).
EXAMPLE 7
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AccessTemplateName' -DirectoryObject 'OrganizationalUnitName' -Predefined $false | remove-QARSAccessTemplateLink -Confirm
Description
Given the name of an Access Template and the name of an organizational unit (OU), remove all security settings on that OU that are determined by that Access Template (remove all links that are based on the given Access Template and applied to the given OU).
EXAMPLE 8
connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -AccessTemplate 'AccessTemplateName' -Trustee 'domainName\groupName' -Predefined $false | remove-QARSAccessTemplateLink -Confirm
Description
Given the name of an Access Template and the pre-Windows 2000 name of a group, revoke all access rights from that group that are defined by using that Access Template (remove all links that are based on the given Access Template and point to the given group).
