Removing access template links from formerly managed domains

Hello,

Does anyone have ways of removing AR configuration from domains that are no longer managed by an AR instance ? We have some decommed domains that had accesses defined but are no longer needed. Is there a way to clean up those items from the config db that will no longer be applied?

Top Replies

JohnnyQuest over 2 years ago +2 suggested

There is a cmdlet for de-linking AT's: Remove-QARSAccessTemplateLink

Syntax would be something like this:

Get-QARSAccessTemplateLink -Proxy -DirectoryObject $MyOUItem | foreach { Remove-QARSAccessTemplateLink…
Stu.Pollock over 2 years ago in reply to JohnnyQuest +1

The only issue you might have is the AT Link may show as being blank after a manage domain is remove.

The below piece of code is provided as-is, you should test it in your own LAB, Test, or Development…

Parents

0 JohnnyQuest over 2 years ago

There is a cmdlet for de-linking AT's: Remove-QARSAccessTemplateLink

Syntax would be something like this:

Get-QARSAccessTemplateLink -Proxy -DirectoryObject $MyOUItem | foreach { Remove-QARSAccessTemplateLink -Proxy }

$MyOUItem would be an OU from a list that you would enumerate from the domain(s) in question.
Cancel
Up +2 Down

Reply

Verify Answer

Reject Answer

Cancel

0 Stu.Pollock over 2 years ago in reply to JohnnyQuest

The only issue you might have is the AT Link may show as being blank after a manage domain is remove.

The below piece of code is provided as-is, you should test it in your own LAB, Test, or Development environment before it is run anywhere near your production environment!

The basic gist of what it does ie:

Get a list of all the Active Roles "Well-Known" principals (Primary Owner, Manager and Secondary Owners)
Get a list of all your current Access Template links (currently limited to 1000, as there is no -sizelimit parameter in the command) which are not predefined
Loop through each Access Template Link
1. Using the TrusteeSID held against the ATL, it will attempt to find this value via Active Roles (PROXY parameter)
2. If the Trustee object was not resolved, it will
  1. Check if its a Well Known AD security principal, if a Trustee was found, and it doesn't start NT Authority (you may need to add additional options) it clears teh Trustee attribute again
3. If the Trustee Object is still blank
  1. It will output selected details to screen
  2. Ask if you want to delete
  3. If you select the correct option to delete it will attempt to remove the object
    1. If successful you get a Remove message, otherwise a failed message
4. If the Trustee Object was not blank, and the ShowValid variable is set to true, it'll output the other valid links also.

Please bear in mind looks at ALL your access template links (up to 1000), therefore be careful to review your findings before attempting to delete.

As always with destructive/delete options backup up your database, and only do this in a time windows suitable for your environment, and when no one else is making changes via ARS.

Clear-host
$AutoRemoveInvalid = $false
$ShowValid = $true
$ARSWellKnown = Get-QADObject -SearchRoot "CN=Well-Known Accounts by ActiveRoles Server,CN=Application Configuration,CN=Configuration" -proxy

$ATLinks = Get-QARSAccessTemplateLink -SearchRoot "CN=AT Links,CN=Configuration" -Predefined $false -Proxy 

$RemoveCurrentLink = $null

ForEach($ATLink in $ATLinks)
{
    
    $Trustee = Get-QADObject -Identity $ATLink.TrusteeSid -Proxy


    If(-not $Trustee)
    {
        $Trustee = ($ARSWellKnown | Where-Object {$_.ObjectSID -eq $ATLink.TrusteeSid}).name
    }

    If(-not $Trustee)
    {
        $Trustee = ([System.Security.Principal.SecurityIdentifier]$ATLink.TrusteeSid).Translate( [System.Security.Principal.NTAccount]).value

        If($Trustee.Substring(0,12) -ne "NT AUTHORITY")
        {
            
            $Trustee = $null
        }

    }

    If(-not $Trustee)
    {
        Write-Host "ATLink: $($ATLink.DN)" -ForegroundColor Red
        Write-Host "`tTrusteeSID:        $($ATLink.TrusteeSid)"
        Write-Host "`tTrustee:           $($ATLink.Trustee)"
        Write-Host "`tDirectoryObjectDN: $($ATLink.DirectoryObjectDN)"
        Write-Host "`tDirectoryObject:   $($ATLink.DirectoryObject)"

        
            If((-not $AutoRemoveInvalid) -and (-not $RemoveCurrentLink))
            {
                Write-Host "`t`tDo you want to remove the current link?" -ForegroundColor Yellow
                Write-Host "`t`t`t[Y] Remove the current link" -ForegroundColor Yellow
                Write-Host "`t`t`t[A] Remove all current and all future invalid links" -ForegroundColor Yellow
                Write-Host "`t`t`t[S] Do not remove current or any future links" -ForegroundColor Yellow
                Write-Host "`t`t`t[<blank>] or [<any 
                other value>] Do not remove the current link" -ForegroundColor Yellow
                $RemoveCurrentLink = Read-Host "`t`tSelect an option"
            }

        If(($AutoRemoveInvalid -eq $true) -or ($RemoveCurrentLink -eq "Y") -or ($RemoveCurrentLink -eq "A")
        )
        {
            Try
            {
                Remove-QARSAccessTemplateLink -Identity $ATLink.DN -Proxy
                Write-host "`t`t`tAccess Template Link removed" -ForegroundColor Green
            }
            Catch
            {
                Write-Host "`t`t`tError removing Access Template Link" -ForegroundColor Red
            }

            If(($RemoveCurrentLink -ne "A") -and ($RemoveCurrentLink -ne "S"))
            {
                $RemoveCurrentLink = $null
            }
        }
    }
    Else
    {
        If($ShowValid)
        {
            Write-Host "ATLink: $($ATLink.DN)" -ForegroundColor Green
            Write-Host "`tTrusteeSID:        $($ATLink.TrusteeSid)"
            Write-Host "`tTrustee:           $($ATLink.Trustee)"
            Write-Host "`tDirectoryObjectDN: $($ATLink.DirectoryObjectDN)"
            Write-Host "`tDirectoryObject:   $($ATLink.DirectoryObject)"
        }
    }
}

Reply