New-QARSAccessTemplateLink
From PowerGUI Wiki
Use this cmdlet to apply ActiveRoles Server Access Templates. This cmdlet requires a connection to be established to the ActiveRoles Server Administration Service by supplying the Proxy parameter.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
New-QARSAccessTemplateLink [[-Name] <string>] -AccessTemplate <IdentityParameter> -DirectoryObject <IdentityParameter> -Trustee <IdentityParameter> [-AppliedTo <ATLinkFlags>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Control <hashtable>] [-Credential <PSCredential>] [-Description <string>] [-DeserializeValues] [-Disabled] [-DisplayName <string>] [-ExcludedProperties <string[]>] [-IncludedProperties <string[]>] [-ObjectAttributes <ObjectAttributesParameter>] [-Proxy] [-Service <string>] [-SynchronizedToAD <Boolean>] [-UseDefaultExcludedProperties <Boolean>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
Using this cmdlet, you can apply Access Templates in ActiveRoles Server. The operation of applying an Access Template boils down to creation of an Access Template link. This cmdlet can take Access Template objects returned by the respective Get- cmdlet and create Access Template links, thus applying the Access Templates. Each Access Template link contains information on how a certain Access Template is applied to determine access rights of a certain security principal (Trustee) on a certain directory object (securable object). For background information about Access Templates, see ActiveRoles Server Administrator Guide.
The cmdlet has optional parameters that determine the server and the security context for the operation. Normally, the connection parameters could be omitted so far as a connection to a server is established prior to using the cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| AccessTemplate | Specify the identity (such as name, distinguished name, etc.) of an Access Template you want. The cmdlet creates a link to apply that Access Template. | true | false | |
| AppliedTo | Set permission inheritance options on the link. Valid parameter values are:
'This' - Indicates no inheritance. The Access Template link information is only used on the object to which the Access Template is applied. Access Template link information is not inherited by any descendents of the object. 'ThisObjectAndAllChildObjects' - Indicates inheritance that includes the object to which the Access Template is applied, the object's immediate children, and the descendents of the object's children. 'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children. 'AllChildObjects' - Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself. 'ImmediateChildObjects' - Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children. Default setting is 'ThisObjectAndAllChildObjects'. | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Control | Use this parameter to pass request controls (in-controls) to ActiveRoles Server as part of an operation request. In ActiveRoles Server, request controls are used to send extra information along with an operation request, to control how ActiveRoles Server performs the request.
The parameter value is a hash table that defines the names and values of the request controls to be passed to ActiveRoles Server. The parameter syntax is as follows: -Control @{<name> = <value>; [<name> = <value>] ...}
In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about ActiveRoles Server request controls, refer to ActiveRoles Server SDK documentation. Note that this parameter only has an effect on the operations that are performed through ActiveRoles Server (connection established using the Proxy parameter); otherwise, this parameter causes an error condition in ActiveRoles Management Shell. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Description | Optionally, specify a description for the link. | false | false | |
| DeserializeValues | Supply this parameter on the command line if the input you pass to the cmdlet contains serialized attribute values (for instance, when importing a directory object from a text file that was created using the Serialize parameter). For examples of how to export and import an object, see help on the Get-QADUser cmdlet. | false | false | |
| DirectoryObject | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object you want. The cmdlet configures the link to apply the Access Template to that object (determine security settings on that object). | true | true (ByValue) | |
| Disabled | Supply this parameter on the command line if you want the cmdlet to configure the link to have no effect in ActiveRoles Server (disabled link). | false | false | |
| DisplayName | Set the 'displayName' attribute to this parameter value. | false | false | |
| ExcludedProperties | Use this parameter to specify the attributes that you do not want the cmdlet to update in the directory. Supply a list of the attribute LDAP display names as the parameter value. You could use this parameter when importing attribute values from a text file, in order to prevent some attributes found in the file from being set in the directory. | false | false | |
| IncludedProperties | Use this parameter to specify explicitly the attributes that you want the cmdlet to update in the directory. Supply a list of the attribute LDAP display names as the parameter value. When used together with UseDefaultExcludedProperties, this parameter allows you to have the cmdlet update some attributes that would not be updated otherwise.
Note: If a particular attribute is listed in both ExcludedProperties and IncludedProperties, the cmdlet does not set the value of that attribute the directory. | false | false | |
| Name | Optionally, specify a name for the link to create. If you omit this parameter, a name is auto-generated. | false | false | |
| ObjectAttributes | Optionally, specify an associative array that defines the Access Template link attributes to set. The array syntax:
@{attr1='val1';attr2='val2';...} In this syntax, each of the key-value pairs is the LDAP display name and the value of an attribute to set. For information about associative arrays, type the following command at the PowerShell command-prompt: help about_associative_array | false | true (ByValue, ByPropertyName) | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| SynchronizedToAD | If you want the cmdlet to configure the link so as to propagate permission settings to Active Directory, set the value of this parameter to 'true'. Otherwise, omit this parameter or set the parameter value to 'false'. | false | false | |
| Trustee | Specify the identity (such as name, distinguished name, domain\name, etc.) of a security principal object (such as a user or group) you want. The cmdlet configures the link to determine access rights of that security principal (set the specified object as Trustee). | true | false | |
| UseDefaultExcludedProperties | When set to 'true', this parameter causes the cmdlet not to update a certain pre-defined set of attributes in the directory. This pre-defined set of attributes (referred to as "default excluded properties") can be viewed or modified by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Examples
EXAMPLE 1
connect-QADService -Proxy C:\PS>new-QARSAccessTemplateLink -AccessTemplate 'Configuration/Access Templates/Active Directory/All Objects - Full Control' -DirectoryObject 'Configuration/Managed Units/ManagedUnitName' -Trustee 'DomainName\GroupName'
Description
Give a certain group full control access to a certain Managed Unit in ActiveRoles Server. This command applies the appropriate pre-defined Access Template, creating an Access Template link on the Managed Unit, with the given group set as Trustee. The default permission inheritance setting (ThisObjectAndAllChildObjects) causes the Access Template link information to be used on any object in the managed domains.
EXAMPLE 2
connect-QADService -Proxy
C:\PS>get-QADObject -SearchRoot 'CN=Active Directory' -Type 'domainDNS' |
%{new-QARSAccessTemplateLink -AccessTemplate 'Configuration/Access Templates/Active Directory/All Objects - Read All Properties' -DirectoryObject $_ -Trustee 'Authenticated Users'}
Description
Connect to any available Administration Service. Then, configure security settings in ActiveRoles Server so as to give any authenticated user read access to any object in the Active Directory domains that are registered with ActiveRoles Server (managed domains). This command applies the appropriate pre-defined Access Template, creating an Access Template link on each of the domainDNS objects representing the managed domains, with Authenticated Users set as Trustee. The default permission inheritance setting (ThisObjectAndAllChildObjects) causes the Access Template link information to be used on any object in the managed domains.
