Come and Check our BETA Alpha version of Powershellcenter.net
Send me your comment to Powershell@powershellcenter.com

Synopsis

Make changes to existing links of ActiveRoles Server Access Templates. This cmdlet requires a connection to be established to the ActiveRoles Server Administration Service by supplying the Proxy parameter.

This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.

Syntax

Set-QARSAccessTemplateLink [-Identity] <IdentityParameter> [-AccessTemplate <IdentityParameter>] [-AppliedTo <ATLinkFlags>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Control <hashtable>] [-Credential <PSCredential>] [-Description <string>] [-DeserializeValues] [-Disabled] [-DisplayName <string>] [-Enabled] [-ExcludedProperties <string[]>] [-IncludedProperties <string[]>] [-ObjectAttributes <ObjectAttributesParameter>] [-Proxy] [-Service <string>] [-SynchronizedToAD <Boolean>] [-Trustee <IdentityParameter>] [-UseDefaultExcludedProperties <Boolean>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]

Detailed Description

Use this cmdlet to modify existing links of Access Templates in ActiveRoles Server. This cmdlet takes Access Template links returned by the respective Get- cmdlet, makes changes to the link data, and commits the changes to ActiveRoles Server. Each Access Template link contains information on how a certain Access Template is applied to determine access rights of a certain security principal (Trustee) on a certain directory object (securable object). For background information about Access Templates, see ActiveRoles Server Administrator Guide. The cmdlet has optional parameters that determine the server and the security context for the operation. The connection parameters could be omitted since a connection to a server is normally established prior to using this cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet. If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default. Note that this cmdlet requires a connection to the ActiveRoles Server Administration Service, so the Proxy parameter must be used to establish a connection.

Parameters

-AccessTemplate [<IdentityParameter>]

Specify the identity (such as name, distinguished name, etc.) of an Access Template you want. The cmdlet configures the given link(s) to apply that Access Template.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-AppliedTo [<ATLinkFlags>]

Set permission inheritance options on the given link or links. Valid parameter values are:

'This' - Indicates no inheritance. The Access Template link information is only used on the object to which the Access Template is applied. Access Template link information is not inherited by any descendents of the object.

'ThisObjectAndAllChildObjects' - Indicates inheritance that includes the object to which the Access Template is applied, the object's immediate children, and the descendents of the object's children.

'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children.

'AllChildObjects' - Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself.

'ImmediateChildObjects' - Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Connection [<ArsConnection>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-ConnectionAccount [<string>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-ConnectionPassword [<SecureString>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Control [<hashtable>]

Use this parameter to pass request controls (in-controls) to ActiveRoles Server as part of an operation request. In ActiveRoles Server, request controls are used to send extra information along with an operation request, to control how ActiveRoles Server performs the request.

The parameter value is a hash table that defines the names and values of the request controls to be passed to ActiveRoles Server. The parameter syntax is as follows:

-Control @{<name> = <value>; [<name> = <value>] ...}

In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about ActiveRoles Server request controls, refer to ActiveRoles Server SDK documentation.

Note that this parameter only has an effect on the operations that are performed through ActiveRoles Server (connection established using the Proxy parameter); otherwise, this parameter causes an error condition in ActiveRoles Management Shell.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Credential [<PSCredential>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Description [<string>]

Set or clear the 'Description' attribute on the given link or links.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-DeserializeValues [<SwitchParameter>]

Supply this parameter if the input you pass to the cmdlet contains serialized attribute values (for instance, when importing a directory object from a text file that was created using the Serialize parameter). For examples of how to export and import an object, see documentation on the Get-QADUser cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Disabled [<SwitchParameter>]

Supply this parameter for the cmdlet to configure the given link(s) to have no effect in ActiveRoles Server (disabled links). If a given link is already disabled, this parameter does not take effect on that link.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-DisplayName [<string>]

Set the 'displayName' attribute to this parameter value.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Enabled [<SwitchParameter>]

Supply this parameter for the cmdlet to configure the given link(s) to have effect in ActiveRoles Server (enabled links). If a given link is already enabled, this parameter does not take effect on that link.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-ExcludedProperties [<string[]>]

Use this parameter to specify the attributes that you do not want the cmdlet to set in the directory. Supply a list of the attribute LDAP display names as the parameter value. You could use this parameter when importing attribute values from a text file, in order to prevent some attributes found in the file from being set in the directory.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Identity [<IdentityParameter>]

You can specify the name, canonical name, or distinguished name (DN) of the link to modify (so as to identify the respective object located in the 'Configuration/AT Links' container in the ActiveRoles Server Configuration namespace).

Normally, pipelining is used to identify links: pass the output of the appropriate Get- cmdlet to this cmdlet. If you do so, the Identity parameter is not to be supplied on the command line.

Required?   true
Position?   1
Default value?  
Accept pipeline input?   true (ByValue)
Accept wildcard characters?   false

-IncludedProperties [<string[]>]

Use this parameter to specify explicitly the attributes that you want the cmdlet to set in the directory. Supply a list of the attribute LDAP display names as the parameter value. When used together with UseDefaultExcludedProperties, this parameter allows you to have the cmdlet set some attributes that would not be set otherwise.

Note: If a particular attribute is listed in both ExcludedProperties and IncludedProperties, the cmdlet does not set the value of that attribute in the directory.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-ObjectAttributes [<ObjectAttributesParameter>]

Optionally, specify an associative array that defines the Access Template link attributes to set. The array syntax:

@{attr1='val1';attr2='val2';...}

In this syntax, each of the key-value pairs is the LDAP display name and the value of an attribute to set.

For information about associative arrays, type the following command at the PowerShell command-prompt:

help about_associative_array

Required?   false
Position?   named
Default value?  
Accept pipeline input?   true (ByValue, ByPropertyName)
Accept wildcard characters?   false

-Proxy [<SwitchParameter>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Service [<string>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-SynchronizedToAD [<Boolean>]

Set the value of this parameter to 'true' for the cmdlet to configure the given link(s) so as to propagate permission settings to Active Directory. If you want the cmdlet to disable the propagation of the permission settings that result from the given link(s), set the value of this parameter to 'false'.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Trustee [<IdentityParameter>]

Specify the identity (such as name, distinguished name, domain\name, etc.) of a security principal object (such as a user or group) you want. The cmdlet configures the given link(s) to determine access rights of that security principal (set the specified object as Trustee).

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-UseDefaultExcludedProperties [<Boolean>]

When set to 'true', this parameter causes the cmdlet not to make changes to certain attributes in the directory. This pre-defined set of attributes (referred to as "default excluded properties") can be viewed or modified by using the Get- or Set-QADPSSnapinSettings cmdlet, respectively.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-UseGlobalCatalog [<SwitchParameter>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Confirm [<SwitchParameter>]

Prompts you for confirmation before executing the command.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-WhatIf [<SwitchParameter>]

Describes what would happen if you executed the command without actually executing the command.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

Input Type

Return Type

Notes

Examples

EXAMPLE 1

PS> connect-QADService -Proxy C:\PS>get-QARSAccessTemplateLink -DirectoryObject 'Configuration/Managed Units/ManagedUnitName' -Predefined $false | set-QARSAccessTemplateLink -Trustee 'DomainName\GroupName' | out-Null

Description

-----------

Connect to any available Administration Service. Then, for every Access Template link on a given ActiveRoles Server Managed Unit, set a given group as Trustee. This ensures that only members of that group have access to that Managed Unit in ActiveRoles Server.

EXAMPLE 2

PS> connect-QADService -Proxy C:\PS>get-QADObject 'OrganizationalUnitName' -Type organizationalUnit | %{get-QARSAccessTemplateLink -AccessTemplate 'AccessTemplateName' -DirectoryObject $_ -Predefined $false} | set-QARSAccessTemplateLink -SynchronizedToAD $true -AppliedTo 'ThisObjectAndAllChildObjects' | out-Null

Description

-----------

For a given organizational unit (OU) and a given Access Template applied on that OU, ensure that the permission settings defined by the Access Template on any object held in the OU are synchronized to Active Directory (on the respective Access Template link, enable the options to synchronize permission settings to AD and to apply them on both the OU and all child objects).

EXAMPLE 3

PS> connect-QADService -Proxy C:\PS>get-QADObject -SearchRoot 'OrganizationalUnitName' | %{get-QARSAccessTemplateLink -AccessTemplate 'AccessTemplateName' -DirectoryObject $_ -SynchronizedToAD $true -Predefined $false} | set-QARSAccessTemplateLink -SynchronizedToAD $false | out-Null

Description

-----------

For a given organizational unit (OU) and a given Access Template, ensure that the permission settings defined by the Access Template on any object held in the OU are not synchronized to Active Directory (disable the permission synchronization option for each link that is based on that Access Template and applied to any object held in that OU).