• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Functions for creation of Policy links
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • -PowerShell
      • PowerShell Library Source Code
      • -PowerShell samples
        • Alert on pending approval request expiration
        • Building a Managed Unit Dynamically
        • Calculate user mailbox size
        • Checking the uniqueness of a property
        • Create Dynamic Group in PowerShell
        • Export Domain Users to a .csv file
        • Functions for creation of Policy links
        • Get Active Roles Management Shell Module version (with build number)
        • Home Folder Move with User Moves
        • How to schedule the Active Roles Management shell
        • Populating a custom Virtual Attribute with a readable accountExpires timestamp using an Active Roles Policy Script
        • PowerShell: Update Property Generation and Validation policy with a new possible value list
        • Random Password Generation
        • Renaming a user post-creation
        • Working with the mS-DS-ConsistencyGuid attribute
    • +VBScript

Functions for creation of Policy links

This set of functions allow the creation of new policy links and blocking of existing policy links via PowerShell.

EG to create a new policy link to the policy "My User Check" on the Account OU

CreatePOLink -PolicyObjectIdentity "My User Check" -ObjectToApplyDN "OU=Accounts, dc=mydomain, dc=com"

To block a link or inherited link BlockPOLink -PolicyObjectIdentity "My User Check" -ObjectToApplyDN "OU=Accounts, dc=mydomain, dc=com"

function GetNewGuid {

return [System.Guid]::NewGuid().tostring()

}

  1. Creates a Policy Object Link
  2. Parameters
  3. PolicyObjectIdentity : Name, DN or cn of policy object
  4. ObjectToApplyDN : DN of container
  5. Blocked : True or false .Is it to be created as a blocked policy

#*********************************************************************************

# THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

#

# IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

# PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.

#*********************************************************************************

Function CreatePOLInk {

param ( [string]$PolicyObjectIdentity,

[string]$ObjectToApplyDN,

[boolean]$Blocked=$false )

# Set the parent container

$APLinksContainerDN="CN=AP Links,CN=Configuration"

# Get a new guid

$APLinkName=GetNewGuid

if ($Blocked){

$APLinkName=$APLInkName + '[Blocked]'

}

# Get the Policy Object Guid

$PolicyObject=get-qadObject $PolicyObjectIdentity -DontUseDefaultIncludedProperties

$APOGuid=$policyObject.Guid.toByteArray()

# Get the Managed Object Guid

$ManagedObject=get-qadObject $ObjectToApplyDN -DontUseDefaultIncludedProperties

$SecObjectGuid=$ManagedObject.Guid.toByteArray()

# Now create the link

$newObj=new-qadobject -parentcontainer $APLInksContainerDN -type 'edsPolicyObjectLink' -name $APlinkName -ObjectAttributes @{"edsaAPOGUID"=$APOGuid;"edsaSecObjectGuid"=$SecObjectGuid;"edsaBlockingLink"=$Blocked}

$NewObj

}

Function BlockPOLink {

param ( [string]$PolicyObjectDN,

[string]$ObjectToApplyDN

)

# Set the parent container

$APLinksContainerDN="CN=AP Links,CN=Configuration"

# Get the Policy Object Guid

$PolicyObject=get-qadObject $PolicyObjectDN -DontUseDefaultIncludedProperties

$APOGuid=$policyObject.Guid.tostring()

write-host ("Policy Object Guid : $APOGuid")

# Get the Managed Object Guid

$ManagedObject=get-qadObject $ObjectToApplyDN -DontUseDefaultIncludedProperties

$SecObjectGuid=$ManagedObject.Guid.tostring()

write-host ("Security Object Guid : $SecObjectGuid")

$ldapFilter="(&(edsaSecObjectGUID=$SecObjectGuid)(edsaAPOGUID=$APOGuid))"

write-host ("Searching for POLink $ldapFilter")

# Get the link for the object

$POLInk=get-qadobject -searchroot $APLinksContainerDN -ldapfilter $ldapFilter

write-host ("Found Link : $POLink")

# Does the link exist ?

# If not then create the blocked link

if ($POLink -eq $null){

write-host ("Creating blocked link : $PolicyObjectDN for container $ObjectToApplyDN")

$POLink=CreatePOLink -PolicyObjectDN $PolicyObjectDN -ObjectToApplyDN $ObjectToApplyDN -Blocked $true

write-host ("Created Link : $POLink")

$Set=set-qadobject -identity $POLink -ObjectAttributes @{"edsaBlockinglink"=$true}

}

else{

$set=set-qadobject -identity $POLink -ObjectAttributes @{"edsaBlockinglink"=$true}

}

}

#***** END OF CODE ***************************************************************

  • Script Center: PowerShell
  • Script Center
  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center