Removing access template links from formerly managed domains

There is a cmdlet for de-linking AT's:  Remove-QARSAccessTemplateLink

Syntax would be something like this:

Get-QARSAccessTemplateLink -Proxy -DirectoryObject $MyOUItem | foreach { Remove-QARSAccessTemplateLink -Proxy }

$MyOUItem would be an OU from a list that you would enumerate from the domain(s) in question.

That's certainly part of the solution required. Alas as Stu suggests we have many access template links in place and I haven't had a full extract with get-qarsaccesstemplatelink able to complete - many records and timeouts. I also can't necessarily adding any target information about the no longer required links to list those first.

You could add a filter into your Get-QARSAccessTemplateLink, to add -LDAPFilter "(!(tTrustee=*))" along with -SizeLimit, which would get all ATL's where the Trustee is not present

IE:

$ATLinks = Get-QARSAccessTemplateLink -SearchRoot "CN=AT Links,CN=Configuration" -Predefined $false -LdapFilter "(!(Trustee=*))" -SizeLimit 0 -Proxy 

The LDAP filter doesn't seem to be returning entries that don't have trustee values.

The LDAP filter doesn't seem to be returning entries that don't have trustee values.

Hi glenn colville 

Apologies, the LDAP filter on Trustee wouldn't work So you'd need to filter on other criteria..

This might be to filter by Access Template, so a loop inside a loop. IE in psudeo code:

$ATs = Get a list of All Access Templates

For Each $ATin $ATs

{

Run previous script, but change the Get-QARSAccessTemplateLink command to include AccessTemplate ($AT.dn)

}

The initial collection part of $ATs = Get a list of All Access Templates - is the first struggle. To collect these in short enough time. Enumerations of the data of trustee and directory object are not rapid. There's plenty of valid links we do want to keep and have to wade through those to find the ones we don't want which is still proving tricky.

If you set the $ShowValid to $false, it will only show ATLs which do not have a valid trustee.

Also you can run the script for a single Access Template at a time, therefore reducing the number of ATLs being retrieved...

Natually you could then just loop through each ATL in turn.

If you want to evaluate the ATLs offline, you'll need to change the script to output it results to file, and naturally not remove any ATLs.