Programmatically applying Access Templates to objects can be performed using the New-QARSAccessTemplateLink cmdlet.
Please see the below output from the Get-Help cmdlet for the New-QARSAccessTemplateLink cmdlet.
NAME
New-QARSAccessTemplateLink
SYNOPSIS
Use this cmdlet to apply Active Roles Access Templates. This cmdlet requires a connection to be established to the Active Roles Administration Service by supplying the Proxy parameter.
SYNTAX
New-QARSAccessTemplateLink [[-Name] <string>] -AccessTemplate <IdentityParameter> -DirectoryObject <IdentityParameter> -Trustee <IdentityParameter> [-AppliedTo <ATLinkFlags>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Control <hashtable>] [-Credential <PSCredential>] [-Description <string>] [-DeserializeValues] [-Disabled] [-DisplayName <string>] [-ExcludedProperties <string[]>] [-IncludedProperties <string[]>] [-ObjectAttributes <ObjectAttributesParameter>] [-Proxy] [-Service <string>] [-SynchronizedToAD <Boolean>] [-UseDefaultExcludedProperties <Boolean>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
Using this cmdlet, you can apply Access Templates in Active Roles. The operation of applying an Access Template boils down to creation of an Access Template link. This cmdlet can take Access Template objects returned by the respective Get- cmdlet and create Access Template links, thus applying the Access Templates. Each Access Template link contains information on how a certain Access Template is applied to determine access rights of a certain security principal (Trustee) on a certain directory object (securable object). For background information about Access Templates, see the Active Roles Administrator Guide.
The cmdlet has optional parameters that determine the server and the security context for the operation. Normally, the connection parameters could be omitted so far as a connection to a server is established prior to using the cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Note that this cmdlet requires a connection to the Active Roles Administration Service, so the Proxy parameter must be used to establish a connection.
PARAMETERS
-DirectoryObject <IdentityParameter>
Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object you want. The cmdlet configures the link to apply the Access Template to that object (determine security settings on that object).
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Name <string>
Optionally, specify a name for the link to create. If you omit this parameter, a name is auto-generated.
Required? false
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AccessTemplate <IdentityParameter>
Specify the identity (such as name, distinguished name, etc.) of an Access Template you want. The cmdlet creates a link to apply that Access Template.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Trustee <IdentityParameter>
Specify the identity (such as name, distinguished name, domain\name, etc.) of a security principal object (such as a user or group) you want. The cmdlet configures the link to determine access rights of that security principal (set the specified object as Trustee).
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AppliedTo <ATLinkFlags>
Set permission inheritance options on the link. Valid parameter values are:
'This' - Indicates no inheritance. The Access Template link information is only used on the object to which the Access Template is applied. Access Template link information is not inherited by any descendents of the object.
'ThisObjectAndAllChildObjects' - Indicates inheritance that includes the object to which the Access Template is applied, the object's immediate children, and the descendents of the object's children.
'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children.
'AllChildObjects' - Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself.
'ImmediateChildObjects' - Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children.
Default setting is 'ThisObjectAndAllChildObjects'.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-SynchronizedToAD <Boolean>
If you want the cmdlet to configure the link so as to propagate permission settings to Active Directory, set the value of this parameter to 'true'. Otherwise, omit this parameter or set the parameter value to 'false'.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Disabled [<SwitchParameter>]
Supply this parameter on the command line if you want the cmdlet to configure the link to have no effect in Active Roles (disabled link).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ObjectAttributes <ObjectAttributesParameter>
Optionally, specify an associative array that defines the Access Template link attributes to set. The array syntax:
@{attr1='val1';attr2='val2';...}
In this syntax, each of the key-value pairs is the LDAP display name and the value of an attribute to set.
For information about associative arrays, type the following command at the PowerShell command-prompt:
help about_associative_array
Required? false
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Description <string>
Optionally, specify a description for the link.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-DisplayName <string>
Set the 'displayName' attribute to this parameter value.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ExcludedProperties <string[]>
Use this parameter to specify the attributes that you do not want the cmdlet to update in the directory. Supply a list of the attribute LDAP display names as the parameter value. You could use this parameter when importing attribute values from a text file, in order to prevent some attributes found in the file from being set in the directory.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IncludedProperties <string[]>
Use this parameter to specify explicitly the attributes that you want the cmdlet to update in the directory. Supply a list of the attribute LDAP display names as the parameter value. When used together with UseDefaultExcludedProperties, this parameter allows you to have the cmdlet update some attributes that would not be updated otherwise.
Note: If a particular attribute is listed in both ExcludedProperties and IncludedProperties, the cmdlet does not set the value of that attribute the directory.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-DeserializeValues [<SwitchParameter>]
Supply this parameter on the command line if the input you pass to the cmdlet contains serialized attribute values (for instance, when importing a directory object from a text file that was created using the Serialize parameter). For examples of how to export and import an object, see help on the Get-QADUser cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UseDefaultExcludedProperties <Boolean>
When set to 'true', this parameter causes the cmdlet not to update a certain pre-defined set of attributes in the directory. This pre-defined set of attributes (referred to as "default excluded properties") can be viewed or modified by using the Get-QADPSSnapinSettings or Set-QADPSSnapinSettings cmdlet, respectively.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Proxy [<SwitchParameter>]
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UseGlobalCatalog [<SwitchParameter>]
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Service <string>
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ConnectionAccount <string>
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ConnectionPassword <SecureString>
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Connection <ArsConnection>
For parameter description, see help on the Connect-QADService cmdlet.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Control <hashtable>
Use this parameter to pass request controls (in-controls) to Active Roles as part of an operation request. In Active Roles, request controls are used to send extra information along with an operation request, to control how Active Roles performs the request.
The parameter value is a hash table that defines the names and values of the request controls to be passed to Active Roles. The parameter syntax is as follows:
-Control @{<name> = <value>; [<name> = <value>] ...}
In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about Active Roles request controls, refer to Active Roles SDK.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before executing the command.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Describes what would happen if you executed the command without actually executing the command.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
-------------------------- EXAMPLE 1 --------------------------
C:\PS>connect-QADService -Proxy
C:\PS>new-QARSAccessTemplateLink -AccessTemplate 'Configuration/Access Templates/Active Directory/All Objects -Full Control' -DirectoryObject 'Configuration/Managed Units/ManagedUnitName' -Trustee 'DomainName\GroupName'
Description
-----------
Give a certain group full control access to a certain Managed Unit in Active Roles. This command applies the appropriate pre-defined Access Template, creating an Access Template link on the Managed Unit, with the given group set as Trustee. The default permission inheritance setting (ThisObjectAndAllChildObjects) causes the Access Template link information to be used on any object in the managed domains.
-------------------------- EXAMPLE 2 --------------------------
C:\PS>connect-QADService -Proxy
C:\PS>get-QADObject -SearchRoot 'CN=Active Directory' -Type 'domainDNS' | %{new-QARSAccessTemplateLink -AccessTemplate 'Configuration/Access Templates/Active Directory/All Objects - Read All Properties' -DirectoryObject $_ -Trustee 'Authenticated Users'}
Description
-----------
Connect to any available Administration Service. Then, configure Active Roles security settings so as to give any authenticated user read access to any object in the Active Directory domains that are registered with Active Roles (managed domains). This command applies the appropriate pre-defined Access Template, creating an Access Template link on each of the domainDNS objects representing the managed domains, with Authenticated Users set as Trustee. The default permission inheritance setting (ThisObjectAndAllChildObjects) causes the Access Template link information to be used on any object in the managed domains.