This set of functions allow the creation of new policy links and blocking of existing policy links via PowerShell.
EG to create a new policy link to the policy "My User Check" on the Account OU
CreatePOLink -PolicyObjectIdentity "My User Check" -ObjectToApplyDN "OU=Accounts, dc=mydomain, dc=com"
To block a link or inherited link BlockPOLink -PolicyObjectIdentity "My User Check" -ObjectToApplyDN "OU=Accounts, dc=mydomain, dc=com"
function GetNewGuid {
return [System.Guid]::NewGuid().tostring()
}
- Creates a Policy Object Link
- Parameters
- PolicyObjectIdentity : Name, DN or cn of policy object
- ObjectToApplyDN : DN of container
- Blocked : True or false .Is it to be created as a blocked policy
#*********************************************************************************
# THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
#
# IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
# PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
#*********************************************************************************
Function CreatePOLInk {
param ( [string]$PolicyObjectIdentity,
[string]$ObjectToApplyDN,
[boolean]$Blocked=$false )
# Set the parent container
$APLinksContainerDN="CN=AP Links,CN=Configuration"
# Get a new guid
$APLinkName=GetNewGuid
if ($Blocked){
$APLinkName=$APLInkName + '[Blocked]'
}
# Get the Policy Object Guid
$PolicyObject=get-qadObject $PolicyObjectIdentity -DontUseDefaultIncludedProperties
$APOGuid=$policyObject.Guid.toByteArray()
# Get the Managed Object Guid
$ManagedObject=get-qadObject $ObjectToApplyDN -DontUseDefaultIncludedProperties
$SecObjectGuid=$ManagedObject.Guid.toByteArray()
# Now create the link
$newObj=new-qadobject -parentcontainer $APLInksContainerDN -type 'edsPolicyObjectLink' -name $APlinkName -ObjectAttributes @{"edsaAPOGUID"=$APOGuid;"edsaSecObjectGuid"=$SecObjectGuid;"edsaBlockingLink"=$Blocked}
$NewObj
}
Function BlockPOLink {
param ( [string]$PolicyObjectDN,
[string]$ObjectToApplyDN
)
# Set the parent container
$APLinksContainerDN="CN=AP Links,CN=Configuration"
# Get the Policy Object Guid
$PolicyObject=get-qadObject $PolicyObjectDN -DontUseDefaultIncludedProperties
$APOGuid=$policyObject.Guid.tostring()
write-host ("Policy Object Guid : $APOGuid")
# Get the Managed Object Guid
$ManagedObject=get-qadObject $ObjectToApplyDN -DontUseDefaultIncludedProperties
$SecObjectGuid=$ManagedObject.Guid.tostring()
write-host ("Security Object Guid : $SecObjectGuid")
$ldapFilter="(&(edsaSecObjectGUID=$SecObjectGuid)(edsaAPOGUID=$APOGuid))"
write-host ("Searching for POLink $ldapFilter")
# Get the link for the object
$POLInk=get-qadobject -searchroot $APLinksContainerDN -ldapfilter $ldapFilter
write-host ("Found Link : $POLink")
# Does the link exist ?
# If not then create the blocked link
if ($POLink -eq $null){
write-host ("Creating blocked link : $PolicyObjectDN for container $ObjectToApplyDN")
$POLink=CreatePOLink -PolicyObjectDN $PolicyObjectDN -ObjectToApplyDN $ObjectToApplyDN -Blocked $true
write-host ("Created Link : $POLink")
$Set=set-qadobject -identity $POLink -ObjectAttributes @{"edsaBlockinglink"=$true}
}
else{
$set=set-qadobject -identity $POLink -ObjectAttributes @{"edsaBlockinglink"=$true}
}
}
#***** END OF CODE ***************************************************************