• ARS access rule with claims enabled, appears to work but when user closes the ARS console and reopens the claim is not working as expected

    Hello ,

    To test a scenario out where I have a single Managed unit with all users. Only want admins from same department to see and modify users from same department.

    Enabled AD claim rules on domain and ARS server, setspns as described in the admin guide…

  • Access template permissions after group add/removal

    We're working on implementing ARS 7.0 (clean install) after having 6.9 for quite awhile. We've kind of hit a snag with our elevated permissions.


    We have workstation support that uses temporal membership to "elevate" themselves into a group that…

  • Delegate Full Access but prevent assigning of additional Access Templates


    In my company, I have delegated Full Access (all objects) to several Organizational Units in AD - I recently noticed this also allows admins to assign additional Access Templates to allow other users to have access to that same area. Is there any way…

  • Problem setting up an access template to only allow deletes (cont from old forums)

    I couldn't reply to an active thread I had on the old forum (http://activeroles.inside.quest.com/thread.jspa?threadID=16448&tstart=0) so I'm starting this one here.

    In response to Andrei, I reverted the AT back to the original setup where the…

  • PS cmdlet to Get Permissions assigned by AccessTemplate

    Is there any way to the get permissions assigned to an access template through PowerShell commandlet. I need to iterate through all the Accesstemplate and find templates that are granting Disable/Enable User object rights.

    Appreciate any help on this…

  • Cannot Expand Web Interface Tree View?

    Hi All,

    Hoping this is a simple one and that I have missed something obvious, but I can not expand the tree view in the web interface, so all I see are the top level objects "Active Directory", "AD LDS" and "Managed Units" unless I logon as the AR service…

  • Delegate Permissions to Publish Group

    I am currently in the process of implementing the ActiveRoles SelfService and seem to have a problems in delegating the publishing of groups.

    Owners and secondary owners are having the following permissions on their groups right now:

    Read All Propertie…

  • Group Membership and Self Service

    I was hoping someone can point me in the correct direction to the a solution for a problem I have.

    At the moment I have within my company, a few DL's who's memberships need to remain hidden and this is currently the case by hiding the DL's in question…

  • Minimum needed rights for user creation


    I'm currently deployed in a project where creation of user's are to be delegated to managers. I'm struggling to get the user creation to work when only things that Manager fills on a user creation form is first name, surname, department and if the…

  • Use ARS and/or powershell to create groups - nested & add members automatically?

    We use the lousy nested structure for shared folder ntfs permissions where a domain local group contains a universal which contains a global and the global has the users.  I want to find a way to create the 3 groups required when a new folder is setup…

  • Link Access Template to OU object only. Not child

    Hi I'm looking to reuse some code written by Quest PS for creating OU structures, groups etc and applying access templates. Unfortunatley the AD model has changed slightly and I need to hide an OU under the OU where I want the Access Template applied…

  • Script logging for scripts in policies & debugging?


    I've been getting a ton of help on here, thank you all! I have some great examples of how to add logging to scripts, but I am a bit confused on how to add them to scripts I have.  I understand the lines that specify the log file and so forth, but…

  • Some managed units losing inherited Access Template Links

    Hello all -

    We are halfway through our migration from 6.5 to 6.7. What's stopping us from calling it finished is that some inherited Access Template Links are not being enforced on some (but only a few) subordinate managed units. The loss is not consistent…

  • Access Template for a specific user Object !


    I want to know if there's a possibility to create an Access Template that can limit the access rights for a specific type of user.

    This type of user is a service account. In conclusion I must define in the Access template a strategy to distinguish…

  • Exchange 2010 Sp1 - Cmdlets from ARS Shell-Proper way?

    I've searched the net and the only thing I've found is that it is not supported to do an "add-pssnappin" from the ars shell to load the exchange cmdlets, although many people do it.

    I am trying to find the right way and I've read that…

  • How to break inheritance on one OU


    I'm relative new to ARS and this question may have been answered before, I do apologize.

    I've an OU structure like this.





    I have delegated permissions/access template to our helpdesk on the MainOU. On subou3…