Removing access template links from formerly managed domains

There is a cmdlet for de-linking AT's:  Remove-QARSAccessTemplateLink

Syntax would be something like this:

Get-QARSAccessTemplateLink -Proxy -DirectoryObject $MyOUItem | foreach { Remove-QARSAccessTemplateLink -Proxy }

$MyOUItem would be an OU from a list that you would enumerate from the domain(s) in question.

The only issue you might have is the AT Link may show as being blank after a manage domain is remove.

The below piece of code is provided as-is, you should test it in your own LAB, Test, or Development environment before it is run anywhere near your production environment!

The basic gist of what it does ie:

1. Get a list of all the Active Roles "Well-Known" principals (Primary Owner, Manager and Secondary Owners)
2. Get a list of all your current Access Template links (currently limited to 1000, as there is no -sizelimit parameter in the command) which are not predefined
3. Loop through each Access Template Link
   1. Using the TrusteeSID held against the ATL, it will attempt to find this value via Active Roles (PROXY parameter)
   2. If the Trustee object was not resolved, it will
      1. Check if its a Well Known AD security principal, if a Trustee was found, and it doesn't start NT Authority (you may need to add additional options) it clears teh Trustee attribute again
   3. If the Trustee Object is still blank
      1. It will output selected details to screen
      2. Ask if you want to delete
      3. If you select the correct option to delete it will attempt to remove the object
         1. If successful you get a Remove message, otherwise a failed message
   4. If the Trustee Object was not blank, and the ShowValid variable is set to true, it'll output the other valid links also.

Please bear in mind looks at ALL your access template links (up to 1000), therefore be careful to review your findings before attempting to delete.

As always with destructive/delete options backup up your database, and only do this in a time windows suitable for your environment, and when no one else is making changes via ARS.

Clear-host
$AutoRemoveInvalid = $false
$ShowValid = $true
$ARSWellKnown = Get-QADObject -SearchRoot "CN=Well-Known Accounts by ActiveRoles Server,CN=Application Configuration,CN=Configuration" -proxy

$ATLinks = Get-QARSAccessTemplateLink -SearchRoot "CN=AT Links,CN=Configuration" -Predefined $false -Proxy 

$RemoveCurrentLink = $null

ForEach($ATLink in $ATLinks)
{
    
    $Trustee = Get-QADObject -Identity $ATLink.TrusteeSid -Proxy


    If(-not $Trustee)
    {
        $Trustee = ($ARSWellKnown | Where-Object {$_.ObjectSID -eq $ATLink.TrusteeSid}).name
    }

    If(-not $Trustee)
    {
        $Trustee = ([System.Security.Principal.SecurityIdentifier]$ATLink.TrusteeSid).Translate( [System.Security.Principal.NTAccount]).value

        If($Trustee.Substring(0,12) -ne "NT AUTHORITY")
        {
            
            $Trustee = $null
        }

    }

    If(-not $Trustee)
    {
        Write-Host "ATLink: $($ATLink.DN)" -ForegroundColor Red
        Write-Host "`tTrusteeSID:        $($ATLink.TrusteeSid)"
        Write-Host "`tTrustee:           $($ATLink.Trustee)"
        Write-Host "`tDirectoryObjectDN: $($ATLink.DirectoryObjectDN)"
        Write-Host "`tDirectoryObject:   $($ATLink.DirectoryObject)"

        
            If((-not $AutoRemoveInvalid) -and (-not $RemoveCurrentLink))
            {
                Write-Host "`t`tDo you want to remove the current link?" -ForegroundColor Yellow
                Write-Host "`t`t`t[Y] Remove the current link" -ForegroundColor Yellow
                Write-Host "`t`t`t[A] Remove all current and all future invalid links" -ForegroundColor Yellow
                Write-Host "`t`t`t[S] Do not remove current or any future links" -ForegroundColor Yellow
                Write-Host "`t`t`t[<blank>] or [<any 
                other value>] Do not remove the current link" -ForegroundColor Yellow
                $RemoveCurrentLink = Read-Host "`t`tSelect an option"
            }

        If(($AutoRemoveInvalid -eq $true) -or ($RemoveCurrentLink -eq "Y") -or ($RemoveCurrentLink -eq "A")
        )
        {
            Try
            {
                Remove-QARSAccessTemplateLink -Identity $ATLink.DN -Proxy
                Write-host "`t`t`tAccess Template Link removed" -ForegroundColor Green
            }
            Catch
            {
                Write-Host "`t`t`tError removing Access Template Link" -ForegroundColor Red
            }

            If(($RemoveCurrentLink -ne "A") -and ($RemoveCurrentLink -ne "S"))
            {
                $RemoveCurrentLink = $null
            }
        }
    }
    Else
    {
        If($ShowValid)
        {
            Write-Host "ATLink: $($ATLink.DN)" -ForegroundColor Green
            Write-Host "`tTrusteeSID:        $($ATLink.TrusteeSid)"
            Write-Host "`tTrustee:           $($ATLink.Trustee)"
            Write-Host "`tDirectoryObjectDN: $($ATLink.DirectoryObjectDN)"
            Write-Host "`tDirectoryObject:   $($ATLink.DirectoryObject)"
        }
    }
}

That's certainly part of the solution required. Alas as Stu suggests we have many access template links in place and I haven't had a full extract with get-qarsaccesstemplatelink able to complete - many records and timeouts. I also can't necessarily adding any target information about the no longer required links to list those first.

Thanks Stu.Pollock . I think from our design, plenty of the trustees are likely to still exist - just the old domain based resources have been removed and I have no clue what they were.

We have found some of these access template links - one thing I notice is there are directoryentry parts that will point to the NC (naming context) of the removed domains. when we have found these links - we can remove them. 

From what I see we have ~220k items in AT Link (from RAW mode) 

You could add a filter into your Get-QARSAccessTemplateLink, to add -LDAPFilter "(!(tTrustee=*))" along with -SizeLimit, which would get all ATL's where the Trustee is not present

IE:

$ATLinks = Get-QARSAccessTemplateLink -SearchRoot "CN=AT Links,CN=Configuration" -Predefined $false -LdapFilter "(!(Trustee=*))" -SizeLimit 0 -Proxy 

The LDAP filter doesn't seem to be returning entries that don't have trustee values.

Hi glenn colville 

Apologies, the LDAP filter on Trustee wouldn't work So you'd need to filter on other criteria..

This might be to filter by Access Template, so a loop inside a loop. IE in psudeo code:

$ATs = Get a list of All Access Templates

For Each $ATin $ATs

{

Run previous script, but change the Get-QARSAccessTemplateLink command to include AccessTemplate ($AT.dn)

}

The initial collection part of $ATs = Get a list of All Access Templates - is the first struggle. To collect these in short enough time. Enumerations of the data of trustee and directory object are not rapid. There's plenty of valid links we do want to keep and have to wade through those to find the ones we don't want which is still proving tricky.

If you set the $ShowValid to $false, it will only show ATLs which do not have a valid trustee.

Also you can run the script for a single Access Template at a time, therefore reducing the number of ATLs being retrieved...

Natually you could then just loop through each ATL in turn.

If you want to evaluate the ATLs offline, you'll need to change the script to output it results to file, and naturally not remove any ATLs.