New-QARSAccessTemplateLink
From PowerGUI Wiki
Use this cmdlet to apply ActiveRoles Server Access Templates. This cmdlet requires a connection to be established to the ActiveRoles Server Administration Service by supplying the Proxy parameter.
Contents |
Syntax
New-QARSAccessTemplateLink [[-Name] <String>] [-ObjectAttributes <Object>] -AccessTemplate <IdentityParameter> -DirectoryObject <IdentityParameter> -Trustee <IdentityParameter> [-Description <String>] [-AppliedTo <ATLinkFlags>] [-SynchronizedToAD [<Boolean>]] [-Disabled] [-Proxy] [-Service <String>] [-ConnectionAccount <String>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Connection <ArsConnection>] [-UseGlobalCatalog] [-WhatIf] [-Confirm] [<CommonParameters>]
Detailed Description
Using this cmdlet, you can apply Access Templates in ActiveRoles Server. The operation of applying an Access Template boils down to creation of an Access Template link. This cmdlet can take Access Template objects returned by the respective Get- cmdlet and create Access Template links, thus applying the Access Templates. Each Access Template link contains information on how a certain Access Template is applied to determine access rights of a certain security principal (Trustee) on a certain directory object (securable object). For background information about Access Templates, see ActiveRoles Server Administrator Guide.
The cmdlet has optional parameters that determine the server and the security context for the operation. Normally, the connection parameters could be omitted so far as a connection to a server is established prior to using the cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Related Commands
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Name | Optionally, specify a name for the link to create. If you omit this parameter, a name is auto-generated. | false | false | |
| ObjectAttributes | Optionally, specify an associative array that defines the Access Template link attributes to set. The array syntax:
@{attr1='val1';attr2='val2';...} In this syntax, each of the key-value pairs is the LDAP display name and the value of an attribute to set. For information about associative arrays, type the following command at the PowerShell command-prompt: help about_associative_array | false | false | |
| AccessTemplate | Specify the identity (such as name, distinguished name, etc.) of an Access Template you want. The cmdlet creates a link to apply that Access Template. | true | false | |
| DirectoryObject | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object you want. The cmdlet configures the link to apply the Access Template to that object (determine security settings on that object). | true | true (ByValue) | |
| Trustee | Specify the identity (such as name, distinguished name, domain\name, etc.) of a security principal object (such as a user or group) you want. The cmdlet configures the link to determine access rights of that security principal (set the specified object as Trustee). | true | false | |
| Description | Optionally, specify a description for the link. | false | false | |
| AppliedTo | Set permission inheritance options on the link. Valid parameter values are:
'This' - Indicates no inheritance. The Access Template link information is only used on the object to which the Access Template is applied. Access Template link information is not inherited by any descendents of the object. 'ThisObjectAndAllChildObjects' - Indicates inheritance that includes the object to which the Access Template is applied, the object's immediate children, and the descendents of the object's children. 'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children. 'AllChildObjects' - Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself. 'ImmediateChildObjects' - Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children. Default setting is 'ThisObjectAndAllChildObjects'. | false | false | |
| SynchronizedToAD | If you want the cmdlet to configure the link so as to propagate permission settings to Active Directory, set the value of this parameter to 'true'. Otherwise, omit this parameter or set the parameter value to 'false'. | false | false | |
| Disabled | Supply this parameter on the command line if you want the cmdlet to configure the link to have no effect in ActiveRoles Server (disabled link). | false | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | true (ByValue) | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| WhatIf | Describes what would happen if you executed the command, without actually executing the command. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false |
Examples
Example 1
connect-QADService -Proxy C:\PS>new-QARSAccessTemplateLink -AccessTemplate 'Configuration/Access Templates/Active Directory/All Objects - Full Control' -DirectoryObject 'Configuration/Managed Units/ManagedUnitName' -Trustee 'DomainName\GroupName'
Give a certain group full control access to a certain Managed Unit in ActiveRoles Server. This command applies the appropriate pre-defined Access Template, creating an Access Template link on the Managed Unit, with the given group set as Trustee. The default permission inheritance setting (ThisObjectAndAllChildObjects) causes the Access Template link information to be used on any object in the managed domains.
Example 2
connect-QADService -Proxy
C:\PS>get-QADObject -SearchRoot 'CN=Active Directory' -Type 'domainDNS' | %{new-QARSAccessTemplateLink -AccessTemplate 'Configuration/Access Templates/Active Directory/All Objects - Read All Properties' -DirectoryObject $_ -Trustee 'Authenticated Users'}
Connect to any available Administration Service. Then, configure security settings in ActiveRoles Server so as to give any authenticated user read access to any object in the Active Directory domains that are registered with ActiveRoles Server (managed domains). This command applies the appropriate pre-defined Access Template, creating an Access Template link on each of the domainDNS objects representing the managed domains, with Authenticated Users set as Trustee. The default permission inheritance setting (ThisObjectAndAllChildObjects) causes the Access Template link information to be used on any object in the managed domains.
