Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management
About us


Retrieves Active Directory objects from One Identity Manager and QAM tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser, and QAMLocalGroup.


Get-QADAccount [-Name] [<String>]] [-Domain] [<String>]] [<CommonParameters>]

Table 189: Parameters
Parameter Description

(Optional) Specify the name of the Active Directory object to be retrieved.

If this parameter is not specified, all Active Directory objects are retrieved.


(Optional) Specify the domain to be queried to locate the Active Directory objects.

If this parameter is not specified, all domains are included in the query.

Table 190: Examples
Example Description
Get-QADAccount Retrieves information for all Active Directory objects on all domains in your Data Governance Edition deployment.
Get-QADAccount -Name Administrator -Domain MyDomain

Retrieves Active Directory information for account Administrator in domain MyDomain.

Details retrieved:
Table 191: Details retrieved
Detail Description

DomainInfo is an array that can be expanded to display the following information about the domain the account belongs to:

  • DnsDomainName
  • NetbiosDomainName
  • Type
AccountSid The security identifier (SID) assigned to the Active Directory account.
SamAccountName If available, the login name for the account.
DistinquishedName The distinguished name of the Active Directory account.
Name The display name of the Active Directory account.
AccountType The type of account.
ErrorMessage If available, error messages associated with the Active Directory account.


Retrieves a list of all the members of a group, including members of child groups. This helps you assess how a specific account has gained access to a resource.


Get-QGroupMembers [-GroupSid] <String> [[-Domain] [<String>]] [<CommonParameters>]

Table 192: Parameters
Parameter Description
GroupSid Specify the security identifier, in SDDL format, of the group whose membership you are interested in.

(Optional) Specify the domain containing the group whose membership you are interested in.

NOTE: This value will only be used if the domain is valid and multiple instances of this SID exist (well-known SIDs).
Table 193: Examples
Example Description
Get-QGroupMembers -GroupSid S-1-5-500 -Domain vmset6 Gets the group members from the specified domain.
Detailed retrieved:
Table 194: Details retrieved
Detail Description

ResultList is an array that can be expanded to show the following information for the members of the given group:

  • ID
  • ParentID
  • DNPrefix
  • SamAccountName
  • SamAccountType
  • RID
  • WellKnown
  • GroupType
  • ObjectClass
  • RedundantBranch
IssueList IssuesList is an array that can be expanded to view any issues encountered.


Retrieves all of the entries from the QAMTrustees table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.


Get-QIndexedTrustees [-TrusteeName [<String>]] [-Domain [<String>]] [<CommonParameters>]

Table 195: Parameters
Parameter Description

(Optional) Specify the name of the trustee to be searched.

If this parameter is not specified, all indexed trustees are returned.


(Optional) Specify the domain of the trustee to be searched.

If this parameter is not specified, all domains are queried to locate indexed trustees.

Table 196: Examples
Example Description
Get-QIndexedTrustees -TrusteeName Administrator -Domain MyDomain

Retrieves all indexed accounts from the QAMTrustees table where the account name is Administrator and the domain is MyDomain.

Details retrieved:
Table 197: Details retrieved
Detail Description
Sid The security identifier (SID) assigned to the account.
PreWindows2000Name The logon name (Pre-Windows 2000) of the Active Directory account.
Domain The name of the domain where the account resides.
TrusteeType The type of trustee (account).

Resource access management

A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.

The following commands are available to you to manage resource access. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 198: Resource access management commands

Use this command

If you want to


Export the security information on a selected resource.

For more information, see Export-QResourceAccess.


View the resources contained in a specific root on a managed host. You can use this to enumerate the contents of remote folders and shares.

In particular, it would be similar to the standard Windows PowerShell Get-ChildItems cmdlet but it functions using the Data Governance server as a proxy, so the client machine does not necessarily need direct access to the target machine.

For more information, see Get-QChildResources.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.


Search an NTFS folder or share for files. Using this command, you can search multiple data roots at once.

For more information, see Get-QFileSystemSearchResults.


Retrieve a list of the operations, including the resource ID assigned to each operation, performed against a managed host during a given time frame.

For more information, see Get-QHostResourceActivities.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.


Calculate the perceived owners for a resource. This information can help to determine the true business owners and custodian for data.

NOTE: The perceived owner for data is calculated from the resource activity history or security information collected by Data Governance Edition. Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database.

For more information, see Get-QPerceivedOwners.


Retrieve the security information of selected resources from a specific managed host, and child objects whose security differs from the parent.

For more information, see Get-QResourceAccess.


Retrieve the activity associated with a resource.

For more information, see Get-QResourceActivity.

NOTE: Resource activity collection (and therefore this cmdlet) is not supported for the following host types:

  • Windows Cluster/Remote Windows Computer
  • Generic Host Type
  • EMC Isilon NFS Device
  • SharePoint Online
  • OneDrive for Business


View the security on a given resource in the SSDL format.

For more information, see Get-QResourceSecurity.


Set security on a given resource.

NOTE: The existing security descriptor is completely replaced.

For more information, see Set-QResourceSecurity.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating