
# Helper
function Resolve-SafeguardDirectoryIdentityProviderId

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($Directory.Id -as [int])
        $Directory = $Directory.Id

    if (-not ($Directory -as [int]))
            $local:Idps = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
                               -Parameters @{ Filter = "Name ieq '$Directory'" })
            if (-not $local:Idps)
                $local:Idps = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
                                   -Parameters @{ Filter = "DirectoryProperties.Domains.DomainName ieq '$Directory'" })
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Idps = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
                                      -Parameters @{ q = $Directory })
        if (-not $local:Idps)
            throw "Unable to find directory identity provider matching '$Directory'"
        if ($local:Idps.Count -ne 1)
            throw "Found $($local:Idps.Count) directory identity providers matching '$Directory'"
function Resolve-SafeguardDirectoryId

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($Directory.Id -as [int])
        $Directory = $Directory.Id

    if (-not ($Directory -as [int]))
            $local:Directories = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Directories `
                                      -Parameters @{ filter = "Name ieq '$Directory'" } -Version 2)
            if (-not $local:Directories)
                $local:Directories = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Directories `
                                          -Parameters @{ filter = "NetworkAddress ieq '$Directory'" } -Version 2)
            if (-not $local:Directories)
                $local:Directories = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Directories `
                                          -Parameters @{ filter = "Domains.DomainName ieq '$Directory'" } -Version 2)
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Directories = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Directories `
                                      -Parameters @{ q = $Directory } -Version 2)
        if (-not $local:Directories)
            throw "Unable to find directory matching '$Directory'"
        if ($local:Directories.Count -ne 1)
            throw "Found $($local:Directories.Count) directories matching '$Directory'"
function Resolve-SafeguardDirectoryAccountId

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($Account.Id -as [int])
        $Account = $Account.Id

    if (-not ($Account -as [int]))
        if ($PSBoundParameters.ContainsKey("DirectoryId"))
            $local:RelativeUrl = "Directories/$DirectoryId/Accounts"
            $local:RelativeUrl = "DirectoryAccounts"
            $local:Accounts = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET $local:RelativeUrl `
                                   -Parameters @{ filter = "Name ieq '$Account'" } -Version 2)
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Accounts = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET $local:RelativeUrl `
                                   -Parameters @{ q = $Account } -Version 2)
        if (-not $local:Accounts)
            throw "Unable to find account matching '$Account'"
        if ($local:Accounts.Count -ne 1)
            throw "Found $($local:Accounts.Count) accounts matching '$Account'"

Get directory identity providers used by Safeguard via the Web API.

Safeguard directory users can be added from Safeguard directory identity providers to
enable domain users to log into Safeguard.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToGet
An integer containing the ID of the directory to get or a string containing the name.


JSON response from Safeguard Web API.

Get-SafeguardDirectoryIdentityProvider -AccessToken $token -Appliance -Insecure

Get-SafeguardDirectoryIdentityProvider x.domain.corp

function Get-SafeguardDirectoryIdentityProvider

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PSBoundParameters.ContainsKey("DirectoryToGet"))
        $local:Id = Resolve-SafeguardDirectoryIdentityProviderId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToGet
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "IdentityProviders/$($local:Id)"
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
            -Parameters @{ Filter = "(TypeReferenceName eq 'ActiveDirectory') or (TypeReferenceName eq 'Ldap')" }

Get domains of a directory identity provider used by Safeguard via the Web API.

Safeguard directory users can be added from Safeguard directory identity providers to
enable domain users to log into Safeguard. This cmdlet will report on which domains
are included within that directory identity provider.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToGet
An integer containing the ID of the directory to get or a string containing the name.


JSON response from Safeguard Web API.

Get-SafeguardDirectoryIdentityProviderDomain -AccessToken $token -Appliance -Insecure

Get-SafeguardDirectoryIdentityProviderDomain x.domain.corp

function Get-SafeguardDirectoryIdentityProviderDomain

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    (Get-SafeguardDirectoryIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `

Create new directory identity provider in Safeguard via the Web API.

Create a new directory identity provider in Safeguard for adding directory users that can log into
Safeguard via the Web API.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER ServiceAccountDomainName
A string containing the service account domain name if it has one. This is used
for creating AD directory identity providers.

.PARAMETER ServiceAccountName
A string containing the service account name. This is used for creating AD directories.

.PARAMETER ServiceAccountDistinguishedName
A string containing the LDAP distinguished name of a service account. This is used for
creating LDAP directory identity providers.

.PARAMETER ServiceAccountPassword
A SecureString containing the password to use for the service account.

.PARAMETER NetworkAddress
A string containing the network address for this directory identity provider. This is used for creating
LDAP directory identity providers.

An integer containing the port for this directory identity provider. This is used for creating
LDAP directory identity providers.

.PARAMETER NoSslEncryption
Do not use SSL encryption for LDAP directory identity provider.

.PARAMETER DoNotVerifyServerSslCertificate
Do not verify Server SSL certificate of LDAP directory identity provider.

.PARAMETER DisplayName
Name for the directory identity provider (default for AD is ServiceAccountDomainName)

.PARAMETER Description
A string containing a description for this directory identity provider.


JSON response from Safeguard Web API.

New-SafeguardDirectoryIdentityProvider -AccessToken $token -Appliance -Insecure

New-SafeguardDirectoryIdentityProvider internal.domain.corp svc-user

New-SafeguardDirectoryIdentityProvider -ServiceAccountDistinguishedName "cn=dev-sa,ou=people,dc=ldap,dc=domain,dc=corp" -NoSslEncryption

function New-SafeguardDirectoryIdentityProvider

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("ServiceAccountPassword"))
        $ServiceAccountPassword = (Read-Host -AsSecureString "ServiceAccountPassword")

    if (-not $PSBoundParameters.ContainsKey("DisplayName"))
        if ($ServiceAccountDomainName)
            $DisplayName = $ServiceAccountDomainName
            $DisplayName = (Read-Host "DisplayName")

    if ($PSCmdlet.ParameterSetName -eq "Ldap")
        $local:Body = @{
            Name = $DisplayName;
            TypeReferenceName = "Ldap";
            DirectoryProperties = @{
                ConnectionProperties = @{
                    UseSslEncryption = $true;
                    VerifySslCertificate = $true;
                    ServiceAccountDistinguishedName = $ServiceAccountDistinguishedName;
                    ServiceAccountPassword = `
        if ($PSBoundParameters.ContainsKey("NetworkAddress"))
            $local:Body.ConnectionProperties.NetworkAddress = $NetworkAddress
        if ($PSBoundParameters.ContainsKey("Port"))
            $local:Body.ConnectionProperties.Port = $Port
        if ($NoSslEncryption)
            $local:Body.ConnectionProperties.UseSslEncryption = $false
            $local:Body.ConnectionProperties.VerifySslCertificate = $false
        if ($DoNotVerifyServerSslCertificate)
            $local:Body.ConnectionProperties.VerifySslCertificate = $false
        $local:Body = @{
            Name = $DisplayName;
            TypeReferenceName = "ActiveDirectory";
            DirectoryProperties = @{
                ConnectionProperties = @{
                    ServiceAccountDomainName = $ServiceAccountDomainName;
                    ServiceAccountName = $ServiceAccountName;
                    ServiceAccountPassword = `
    if ($PSBoundParameters.ContainsKey("Description"))
        $local:Body.Description = $Description

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST IdentityProviders -Body $local:Body

Remove a directory identity provider from Safeguard via the Web API.

Remove a directory identify provider from Safeguard. Make sure it is not
in use before you remove it.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToDelete
An integer containing the ID of the directory identity provider to remove or a string containing the name.


JSON response from Safeguard Web API.

Remove-SafeguardDirectoryIdentityProvider -AccessToken $token -Appliance -Insecure 5

Remove-SafeguardDirectoryIdentityProvider internal.domain.corp

function Remove-SafeguardDirectoryIdentityProvider

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:IdpId = (Resolve-SafeguardDirectoryIdentityProviderId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToDelete)
    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "IdentityProviders/$($local:IdpId)"

Edit existing directory identity provider in Safeguard via the Web API.

Edit an existing directory identity provider in Safeguard that can be used to manage accounts.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToEdit
An integer containing the ID of the directory identity provider to edit or a string containing the name.

.PARAMETER NetworkAddress
A string containing the network address for this directory identity provider. This is used for creating
LDAP directory identity providers.

An integer containing the port for this directory identiy provider. This is used for creating
LDAP directory identity providers.

.PARAMETER NoSslEncryption
Do not use SSL encryption for LDAP directory identity provider.

.PARAMETER DoNotVerifyServerSslCertificate
Do not verify Server SSL certificate of LDAP directory identity provider.

.PARAMETER Description
A string containing a description for this directory identity provider.

.PARAMETER DirectoryObject
An object containing the existing directory identity provider with desired properties set.


JSON response from Safeguard Web API.

Edit-SafeguardDirectoryIdentityProvider -AccessToken $token -Appliance -Insecure internal.domain.corp

Edit-SafeguardDirectoryIdentityProvider ldap.domain.corp -ServiceAccountDistinguishedName "cn=dev-sa,ou=people,dc=ldap,dc=domain,dc=corp" -NoSslEncryption

Edit-SafeguardDirectoryIdentityProvider -DirectoryObject $obj

function Edit-SafeguardDirectoryIdentityProvider

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $DirectoryObject)
        throw "DirectoryObject must not be null"

    if ($PsCmdlet.ParameterSetName -eq "Attributes")
        if (-not $PSBoundParameters.ContainsKey("DirectoryToEdit"))
            $DirectoryToEdit = (Read-Host "DirectoryToEdit")
        $local:IdpId = (Resolve-SafeguardDirectoryIdentityProviderId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToEdit)

    if (-not ($PsCmdlet.ParameterSetName -eq "Object"))
        $local:IdpObject = (Get-SafeguardDirectoryIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:IdpId)

        # Connection Properties
        if (-not $local:IdpObject.DirectoryProperties.ConnectionProperties) { $local:IdpObject.DirectoryProperties.ConnectionProperties = @{} }
        if (-not $local:IdpObject.DirectoryProperties) { $local:IdpObject.DirectoryProperties = @{} }
        if ($PSBoundParameters.ContainsKey("Port")) { $local:IdpObject.DirectoryProperties.ConnectionProperties.Port = $Port }
        if ($NoSslEncryption)
            $local:IdpObject.DirectoryProperties.ConnectionProperties.UseSslEncryption = $false
            $local:IdpObject.DirectoryProperties.ConnectionProperties.VerifySslCertificate = $false
        if ($DoNotVerifyServerSslCertificate)
            $local:IdpObject.DirectoryProperties.ConnectionProperties.VerifySslCertificate = $false

        # Body
        if ($PSBoundParameters.ContainsKey("DisplayName")) { $local:IdpObject.Name = $DisplayName }
        if ($PSBoundParameters.ContainsKey("Description")) { $local:IdpObject.Description = $Description }
        if ($PSBoundParameters.ContainsKey("NetworkAddress")) { $local:IdpObject.NetworkAddress = $NetworkAddress }

        $DirectoryObject = $local:IdpObject

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "IdentityProviders/$($DirectoryObject.Id)" -Body $DirectoryObject

Get the schema mapping from a directory identity provider in Safeguard via the Web API.

Edit an existing directory identity provider in Safeguard that can be used to manage accounts.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToEdit
An integer containing the ID of the directory identity provider to edit or a string containing the name.

A string containing which schema type to get.


JSON response from Safeguard Web API.

Get-SafeguardDirectoryIdentityProviderSchemaMapping -AccessToken $token -Appliance -Insecure internal.domain.corp -SchemaType Group

Get-SafeguardDirectoryIdentityProviderSchemaMapping internal.domain.corp User

function Get-SafeguardDirectoryIdentityProviderSchemaMapping

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:SchemaProperties = (Get-SafeguardDirectoryIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
    switch ($SchemaType)
        User {$local:SchemaProperties.UserProperties}
        Group {$local:SchemaProperties.GroupProperties | Format-List}

Set the schema mapping for a directory identity provider in Safeguard via the Web API.

Edit an existing directory identity provider in Safeguard that can be used to manage accounts.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToEdit
An integer containing the ID of the directory identity provider to edit or a string containing the name.

A string containing which schema type to get.

.PARAMETER SchemaMappingObj
An object containing the directory identity provider schema mapping with desired properties set.


JSON response from Safeguard Web API.

Set-SafeguardDirectoryIdentityProviderSchemaMapping -AccessToken $token -Appliance -Insecure internal.domain.corp -SchemaType User -SchemaMappingObj $schema

Set-SafeguardDirectoryIdentityProviderSchemaMapping internal.domain.corp user @{ DescriptionAttribute = "userPrincipalName" }

function Set-SafeguardDirectoryIdentityProviderSchemaMapping

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:IdpObject = (Get-SafeguardDirectoryIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToGet)

    switch ($SchemaType)
        User {
            $local:IdpObject.DirectoryProperties.SchemaProperties.UserProperties = $SchemaMappingObj
            (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "IdentityProviders/$($local:IdpObject.Id)" `
                -Body $local:IdpObject).DirectoryProperties.SchemaProperties.UserProperties
        Group {
            $local:IdpObject.DirectoryProperties.SchemaProperties.GroupProperties = $SchemaMappingObj
            (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "IdentityProviders/$($local:IdpObject.Id)" `
                -Body $local:IdpObject).DirectoryProperties.SchemaProperties.GroupProperties | Format-List


Get directories managed by Safeguard via the Web API.

Get the directories managed by Safeguard. Accounts can be added to these directories,
and Safeguard can be configured to manage their passwords. Once a directory is added
to Safeguard, a user administrator can create a Safeguard user from the directory
identity provider.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToGet
An integer containing the ID of the directory to get or a string containing the name.

An array of the directory property names to return.


JSON response from Safeguard Web API.

Get-SafeguardDirectory -AccessToken $token -Appliance -Insecure

Get-SafeguardDirectory x.domain.corp

function Get-SafeguardDirectory

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Parameters = $null
    if ($Fields)
        $local:Parameters = @{ fields = ($Fields -join ",")}

        if ($PSBoundParameters.ContainsKey("DirectoryToGet"))
            $local:DirectoryId = Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToGet
            Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET `
                "Directories/$($local:DirectoryId)" -Version 2 -Parameters $local:Parameters
            Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET `
                Directories -Version 2 -Parameters $local:Parameters
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToGet"))
                Get-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToGet -Parameters $local:Parameters
                $local:LdapPlatformId = (Find-SafeguardPlatform "OpenLDAP" -Appliance $Appliance -AccessToken $AccessToken)[0].Id
                $local:AdPlatformId = (Find-SafeguardPlatform "Active Directory" -Appliance $Appliance -AccessToken $AccessToken)[0].Id

                if ($Fields)
                    $Fields += "PlatformId"
                (Get-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -Fields $Fields) | Where-Object {
                    ($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)

Create new directory asset in Safeguard via the Web API.

Create a new directory in Safeguard that can be used to manage accounts. As of
Safeguard version 2.7 and greater this cmdlet no longer creates an identity
provider, so it will no longer allow the creation of Safeguard users from the
added directory. To create Safeguard users from a directory, use the
New-SafeguardDirectoryIdentityProvider cmdlet to add the identity provider.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER ServiceAccountDomainName
A string containing the service account domain name if it has one. This is used
for creating AD directories.

.PARAMETER ServiceAccountName
A string containing the service account name. This is used for creating AD directories.

.PARAMETER ServiceAccountDistinguishedName
A string containing the LDAP distinguished name of a service account. This is used for
creating LDAP directories.

.PARAMETER ServiceAccountPassword
A SecureString containing the password to use for the service account.

.PARAMETER NetworkAddress
A string containing the network address for this directory. This is used for creating
LDAP directories.

An integer containing the port for this directory. This is used for creating
LDAP directories.

.PARAMETER NoSslEncryption
Do not use SSL encryption for LDAP directory.

.PARAMETER DoNotVerifyServerSslCertificate
Do not verify Server SSL certificate of LDAP directory.

.PARAMETER Description
A string containing a description for this directory.


JSON response from Safeguard Web API.

New-SafeguardDirectory -AccessToken $token -Appliance -Insecure

New-SafeguardDirectory internal.domain.corp svc-user

New-SafeguardDirectory -ServiceAccountDistinguishedName "cn=dev-sa,ou=people,dc=ldap,dc=domain,dc=corp" -NoSslEncryption

function New-SafeguardDirectory

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }
    Import-Module -Name "$PSScriptRoot\datatypes.psm1" -Scope Local
    Import-Module -Name "$PSScriptRoot\sg-utilities.psm1" -Scope Local

    if (-not $PSBoundParameters.ContainsKey("ServiceAccountPassword"))
        $ServiceAccountPassword = (Read-Host -AsSecureString "ServiceAccountPassword")

    if (Test-SafeguardMinVersionInternal -Appliance $Appliance -Insecure:$Insecure -MinVersion 2.7)
        if ($PSCmdlet.ParameterSetName -eq "Ldap")
            $local:LdapPlatformId = (Find-SafeguardPlatform "OpenLDAP" -Appliance $Appliance -AccessToken $AccessToken -Insecure:$Insecure)[0].Id
            New-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DisplayName $NetworkAddress -Platform $local:LdapPlatformId `
                -ServiceAccountDistinguishedName $ServiceAccountDistinguishedName -ServiceAccountPassword $ServiceAccountPassword `
                -ServiceAccountCredentialType "password" -Description $Description -NetworkAddress $NetworkAddress -Port $Port `
                -NoSslEncryption:$NoSslEncryption -DoNotVerifyServerSslCertificate:$DoNotVerifyServerSslCertificate
            $local:AdPlatformId = (Find-SafeguardPlatform "Active Directory" -Appliance $Appliance -AccessToken $AccessToken -Insecure:$Insecure)[0].Id
            New-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DisplayName $ServiceAccountDomainName -Platform $local:AdPlatformId `
                -ServiceAccountName $ServiceAccountName -ServiceAccountDomainName $ServiceAccountDomainName -ServiceAccountPassword $ServiceAccountPassword `
                -ServiceAccountCredentialType "password" -NetworkAddress $ServiceAccountDomainName -Description $Description
        if ($PSCmdlet.ParameterSetName -eq "Ldap")
            $local:LdapPlatformId = (Find-SafeguardPlatform "OpenLDAP" -Appliance $Appliance -AccessToken $AccessToken)[0].Id
            $local:Body = @{
                PlatformId = $local:LdapPlatformId;
                ConnectionProperties = @{
                    UseSslEncryption = $true;
                    VerifySslCertificate = $true;
                    ServiceAccountDistinguishedName = $ServiceAccountDistinguishedName;
                    ServiceAccountPassword = `
            if ($PSBoundParameters.ContainsKey("NetworkAddress"))
                $local:Body.ConnectionProperties.NetworkAddress = $NetworkAddress
            if ($PSBoundParameters.ContainsKey("Port"))
                $local:Body.ConnectionProperties.Port = $Port
            if ($NoSslEncryption)
                $local:Body.ConnectionProperties.UseSslEncryption = $false
                $local:Body.ConnectionProperties.VerifySslCertificate = $false
            if ($DoNotVerifyServerSslCertificate)
                $local:Body.ConnectionProperties.VerifySslCertificate = $false
            $local:AdPlatformId = (Find-SafeguardPlatform "Active Directory" -Appliance $Appliance -AccessToken $AccessToken)[0].Id
            $local:Body = @{
                PlatformId = $local:AdPlatformId;
                ConnectionProperties = @{
                    ServiceAccountDomainName = $ServiceAccountDomainName;
                    ServiceAccountName = $ServiceAccountName;
                    ServiceAccountPassword = `
        if ($PSBoundParameters.ContainsKey("Description"))
            $local:Body.Description = $Description

        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST Directories -Body $local:Body -Version 2

Test connection to a directory in Safeguard via the Web API.

Test the connection to a directory by attempting to determine whether or
not the configured service account can manage passwords for this directory.
This is an asynchronous task in Safeguard.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToTest
An integer containing the ID of the directory to test connection to or a string containing the name.


JSON response from Safeguard Web API.

Test-SafeguardDirectory -AccessToken $token -Appliance -Insecure 5

Test-SafeguardDirectory internal.domain.corp

function Test-SafeguardDirectory

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        $local:DirectoryId = Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToTest
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
            POST "Directories/$($local:DirectoryId)/TestConnection" -LongRunningTask -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            Test-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetToTest $DirectoryToTest

Remove a directory from Safeguard via the Web API.

Remove a directory from Safeguard. Make sure it is not in use before
you remove it.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToDelete
An integer containing the ID of the directory to remove or a string containing the name.


JSON response from Safeguard Web API.

Remove-SafeguardDirectory -AccessToken $token -Appliance -Insecure 5

Remove-SafeguardDirectory internal.domain.corp

function Remove-SafeguardDirectory

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        $local:DirectoryId = Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToDelete
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "Directories/$($local:DirectoryId)" -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            Remove-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetToDelete $DirectoryToDelete

Edit existing directory in Safeguard via the Web API.

Edit an existing directory in Safeguard that can be used to manage accounts.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToEdit
An integer containing the ID of the directory to edit or a string containing the name.

.PARAMETER ServiceAccountDomainName
A string containing the service account domain name if it has one. This is used
for creating AD directories.

.PARAMETER ServiceAccountName
A string containing the service account name. This is used for creating AD directories.

.PARAMETER ServiceAccountDistinguishedName
A string containing the LDAP distinguished name of a service account. This is used for
creating LDAP directories.

.PARAMETER ServiceAccountPassword
A SecureString containing the password to use for the service account.

.PARAMETER NetworkAddress
A string containing the network address for this directory. This is used for creating
LDAP directories.

An integer containing the port for this directory. This is used for creating
LDAP directories.

.PARAMETER NoSslEncryption
Do not use SSL encryption for LDAP directory.

.PARAMETER DoNotVerifyServerSslCertificate
Do not verify Server SSL certificate of LDAP directory.

.PARAMETER Description
A string containing a description for this directory.

.PARAMETER DirectoryObject
An object containing the existing directory with desired properties set.


JSON response from Safeguard Web API.

Edit-SafeguardDirectory -AccessToken $token -Appliance -Insecure internal.domain.corp

Edit-SafeguardDirectory ldap.domain.corp -ServiceAccountDistinguishedName "cn=dev-sa,ou=people,dc=ldap,dc=domain,dc=corp" -NoSslEncryption

Edit-SafeguardDirectory -DirectoryObject $obj

function Edit-SafeguardDirectory

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $DirectoryObject)
        throw "DirectoryObject must not be null"

    if ($PsCmdlet.ParameterSetName -eq "Attributes")
        if (-not $PSBoundParameters.ContainsKey("DirectoryToEdit"))
            $DirectoryToEdit = (Read-Host "DirectoryToEdit")
        $local:DirectoryId = Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToEdit

    if (-not ($PsCmdlet.ParameterSetName -eq "Object"))
        $DirectoryObject = (Get-SafeguardDirectory -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:DirectoryId)

        # Connection Properties
        if (-not $DirectoryObject.ConnectionProperties) { $DirectoryObject.ConnectionProperties = @{} }
        if ($PSBoundParameters.ContainsKey("Port")) { $DirectoryObject.ConnectionProperties.Port = $Port }

        if ($PSBoundParameters.ContainsKey("ServiceAccountDomainName")) { $DirectoryObject.ConnectionProperties.ServiceAccountDomainName = $ServiceAccountDomainName }
        if ($PSBoundParameters.ContainsKey("ServiceAccountName")) { $DirectoryObject.ConnectionProperties.ServiceAccountName = $ServiceAccountName }
        if ($PSBoundParameters.ContainsKey("ServiceAccountPassword"))
            $DirectoryObject.ConnectionProperties.ServiceAccountPassword = `
        if ($PSBoundParameters.ContainsKey("ServiceAccountDistinguishedName")) { $DirectoryObject.ConnectionProperties.ServiceAccountDistinguishedName = $ServiceAccountDistinguishedName }
        if ($NoSslEncryption)
            $DirectoryObject.ConnectionProperties.UseSslEncryption = $false
            $DirectoryObject.ConnectionProperties.VerifySslCertificate = $false
        if ($DoNotVerifyServerSslCertificate)
            $DirectoryObject.ConnectionProperties.VerifySslCertificate = $false

        # Body
        if ($PSBoundParameters.ContainsKey("Description")) { $DirectoryObject.Description = $Description }
        if ($PSBoundParameters.ContainsKey("NetworkAddress")) { $DirectoryObject.NetworkAddress = $NetworkAddress }

        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Directories/$($DirectoryObject.Id)" -Body $DirectoryObject -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            Edit-SafeguardAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetObject $DirectoryObject

synchronize an existing directory in Safeguard via the Web API.

synchronize an existing directory in Safeguard.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToSync
An integer containing the ID of the directory to synchronize or a string containing the name.


JSON response from Safeguard Web API.

Sync-SafeguardDirectory -AccessToken $token -Appliance -Insecure 5

Sync-SafeguardDirectory internal.domain.corp

function Sync-SafeguardDirectory
        [object]$AssetPartition = -1

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        $local:Directory = Get-SafeguardDirectory -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToSync
        Write-Host "Triggering sync for directory: $($local:Directory.Name)"
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "Directories/$($local:Directory.Id)/Synchronize" -Version 2
        Write-Host "Exception while triggering sync for directory: $($local:Directory.Name). Retrying..."
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            Sync-SafeguardDirectoryAsset -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetPartition $AssetPartition -DirectoryAssetToSync $DirectoryToSync

Get accounts on directories managed by Safeguard via the Web API.

Get accounts on directories managed by Safeguard. Accounts passwords can be managed,
and Safeguard can be configured to check and change those passwords. Policy can
be created to allow access to passwords and sessions based on those passwords.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToGet
An integer containing the ID of the directory to get accounts from or a string containing the name.

An integer containing the ID of the account to get or a string containing the name.

An array of the account property names to return.


JSON response from Safeguard Web API.

Get-SafeguardDirectoryAccount -AccessToken $token -Appliance -Insecure domain.blah.corp administrator

Get-SafeguardDirectoryAccount -AccountToGet adm-domain-a

function Get-SafeguardDirectoryAccount

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Parameters = $null
    if ($Fields)
        $local:Parameters = @{ fields = ($Fields -join ",")}

        if ($PSBoundParameters.ContainsKey("DirectoryToGet"))
            $local:DirectoryId = (Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToGet)
            if ($PSBoundParameters.ContainsKey("AccountToGet"))
                $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DirectoryId $local:DirectoryId $AccountToGet)
                Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
                    GET "DirectoryAccounts/$($local:AccountId)" -Version 2 -Parameters $local:Parameters
                Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
                    GET "Directories/$($local:DirectoryId)/Accounts" -Version 2 -Parameters $local:Parameters
            if ($PSBoundParameters.ContainsKey("AccountToGet"))
                $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $AccountToGet)
                Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
                    GET "DirectoryAccounts/$($local:AccountId)" -Version 2 -Parameters $local:Parameters
                $local:LdapPlatformId = (Find-SafeguardPlatform "OpenLDAP" -Appliance $Appliance -AccessToken $AccessToken)[0].Id
                $local:AdPlatformId = (Find-SafeguardPlatform "Active Directory" -Appliance $Appliance -AccessToken $AccessToken)[0].Id

                if ($Fields)
                    $Fields += "PlatformId"
                    $local:Parameters = @{ fields = ($Fields -join ",")}
                (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
                    GET "DirectoryAccounts" -Version 2 -Parameters $local:Parameters) | Where-Object {
                        ($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToGet"))
                if ($PSBoundParameters.ContainsKey("AccountToGet"))
                    Get-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                        -AssetToGet $DirectoryToGet -AccountToGet $AccountToGet -Fields $Fields
                    Get-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                        -AssetToGet $DirectoryToGet -Fields $Fields
                if ($PSBoundParameters.ContainsKey("AccountToGet"))
                    Get-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                        -AccountToGet $AccountToGet -Fields $Fields
                    $local:LdapPlatformId = (Find-SafeguardPlatform "OpenLDAP" -Appliance $Appliance -AccessToken $AccessToken)[0].Id
                    $local:AdPlatformId = (Find-SafeguardPlatform "Active Directory" -Appliance $Appliance -AccessToken $AccessToken)[0].Id

                    if ($Fields)
                        $Fields += "PlatformId"
                    (Get-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -Fields $Fields) | Where-Object {
                        ($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)

Search for a directory account in Safeguard via the Web API.

Search for a directory account in Safeguard for any string fields containing
the SearchString.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER SearchString
A string to search for in the directory account.

.PARAMETER QueryFilter
A string to pass to the -filter query parameter in the Safeguard Web API.


JSON response from Safeguard Web API.

Find-SafeguardDirectoryAccount -AccessToken $token -Appliance -Insecure

Find-SafeguardDirectoryAccount "-adm"

Find-SafeguardDirectoryAccount -QueryFilter "DirectoryProperties.DomainName eq ''"

function Find-SafeguardDirectoryAccount

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        if ($PSCmdlet.ParameterSetName -eq "Search")
            (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "DirectoryAccounts" `
                -Parameters @{ q = $SearchString } -Version 2) | Where-Object {($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)}
            (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "DirectoryAccounts" `
                -Parameters @{ filter = $QueryFilter } -Version 2) | Where-Object {($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)}
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSCmdlet.ParameterSetName -eq "Search")
                (Find-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -SearchString $SearchString) | Where-Object {($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)}
                (Find-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -QueryFilter $QueryFilter) | Where-Object {($_.PlatformId -eq $local:LdapPlatformId) -or ($_.PlatformId -eq $local:AdPlatformId)}

Create a new account on a directory managed by Safeguard via the Web API.

Create a representation of an account on a managed directory. Accounts passwords can
be managed, and Safeguard can be configured to check and change those passwords.
Policy can be created to allow access to passwords and sessions based on those passwords.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER ParentDirectory
An integer containing the ID of the directory to get accounts from or a string containing the name.

.PARAMETER NewAccountName
A string containing the name for the account.

A string containing the domain name for the account if different from parent directory.

.PARAMETER DistinguishedName
A string containing the distinguished name of the new account in LDAP.


JSON response from Safeguard Web API.

New-SafeguardDirectoryAccount -AccessToken $token -Appliance -Insecure blah.corp administrator -DomainName sub.blah.corp

New-SafeguardDirectoryAccount administrator -DistinguishedName "cn=administrator,dc=ldap,dc=company,dc=corp"

function New-SafeguardDirectoryAccount

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        $local:Directory = (Get-SafeguardDirectory -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentDirectory)

        $local:Body = @{
            "Name" = $NewAccountName;
            "DirectoryProperties" = @{
                "DirectoryId" = $local:Directory.Id;

        if ($PSBoundParameters.ContainsKey("DomainName"))
            $local:Body.DirectoryProperties.DomainName = $DomainName
        elseif ($PSBoundParameters.ContainsKey("DistinguishedName"))
            $local:Body.DirectoryProperties.DistinguishedName = $DistinguishedName
            if ($ParentDirectory -as [string])
                $local:MatchedDomain = ($local:Directory.Domains | Where-Object { $_.DomainName -ieq ([string]$ParentDirectory) })
            if ($local:MatchedDomain)
                $local:Body.DirectoryProperties.DomainName = $local:MatchedDomain.DomainName
                $DomainName = $local:MatchedDomain.DomainName
                $local:Body.DirectoryProperties.DomainName = $local:Directory.Domains[0].DomainName
                $DomainName = $local:Directory.Domains[0].DomainName

        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "DirectoryAccounts" -Body $local:Body -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            New-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -ParentAsset $ParentDirectory -NewAccountName $NewAccountName -DomainName $DomainName -DistinguishedName $DistinguishedName -Description $Description

Edit an existing account on a directory managed by Safeguard via the Web API.

Edit an existing directory account in Safeguard. Accounts passwords can be managed,
and Safeguard can be configured to check and change those passwords.
Policy can be created to allow access to passwords and sessions based
on those passwords.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER AccountObject
An object containing the existing asset account with desired properties set.


JSON response from Safeguard Web API.

Edit-SafeguardDirectoryAccount -AccessToken $token -Appliance -Insecure

Edit-SafeguardDirectoryAccount -AccountObject $obj

function Edit-SafeguardDirectoryAccount

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $AccountObject)
        throw "AccountObject must not be null"
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "DirectoryAccounts/$($AccountObject.Id)" -Body $AccountObject -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            $AccountObject = Get-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AccountToGet $AccountObject.Id
            Edit-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AccountObject $AccountObject

Set account password inside Safeguard for directory under management via the Web API.

Set the password in Safeguard for an account on a directory under management. This
just modifies what is stored in Safeguard. It does not change the actual password
of the account.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToSet
An integer containing the ID of the directory to set account password on or a string containing the name.

An integer containing the ID of the account to set password on or a string containing the name.

.PARAMETER NewPassword
A SecureString containing the new password to set.


JSON response from Safeguard Web API.

Set-SafeguardDirectoryAccountPassword -AccessToken $token -Appliance -Insecure internal.blah.corp administrator

Set-SafeguardDirectoryAccountPassword -AccountToSet oracle -NewPassword $pass

function Set-SafeguardDirectoryAccountPassword

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $NewPassword)
        $NewPassword = (Read-Host -AsSecureString "NewPassword")

        if ($PSBoundParameters.ContainsKey("DirectoryToSet"))
            $local:DirectoryId = (Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToSet)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DirectoryId $local:DirectoryId $AccountToSet)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $AccountToSet)

        $local:PasswordPlainText = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword))
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "DirectoryAccounts/$($local:AccountId)/Password" `
            -Body $local:PasswordPlainText -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToSet"))
                Set-SafeguardAssetAccountPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -NewPassword $NewPassword -AssetToSet $DirectoryToSet -AccountToSet $AccountToSet
                Set-SafeguardAssetAccountPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -NewPassword $NewPassword -AccountToSet $AccountToSet

Generate a directory account password based on profile via the Web API.

Generate a directory account password based on profile. The password is not actually stored in
Safeguard, but it could be stored using Set-SafeguardDirectoryAccountPassword. This can
be used to facilitate manual password management.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToUse
An integer containing the ID of the directory to generate password for or a string containing the name.

An integer containing the ID of the account to generate password for or a string containing the name.


JSON response from Safeguard Web API.

New-SafeguardDirectoryAccountRandomPassword -AccessToken $token -Appliance -Insecure domain.blah.corp administrator

New-SafeguardDirectoryAccountRandomPassword -AccountToUse administrator

function New-SafeguardDirectoryAccountRandomPassword

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
            $local:DirectoryId = (Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DirectoryId $local:DirectoryId $AccountToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $AccountToUse)
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "DirectoryAccounts/$($local:AccountId)/GeneratePassword" -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
                New-SafeguardAssetAccountRandomPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetToUse $DirectoryToUse -AccountToUse $AccountToUse
                New-SafeguardAssetAccountRandomPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AccountToUse $AccountToUse

Run check password on a directory account managed by Safeguard via the Web API.

Run a task to check whether Safeguard still has the correct password for
an account on a managed directory.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToUse
An integer containing the ID of the directory to check password for or a string containing the name.

An integer containing the ID of the account to check password for or a string containing the name.


JSON response from Safeguard Web API.

Test-SafeguardDirectoryAccountPassword -AccessToken $token -Appliance -Insecure domain.blah.corp administrator

Test-SafeguardDirectoryAccountPassword -AccountToUse administrator

function Test-SafeguardDirectoryAccountPassword

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
            $local:DirectoryId = (Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DirectoryId $local:DirectoryId $AccountToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $AccountToUse)
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "DirectoryAccounts/$($local:AccountId)/CheckPassword" -LongRunningTask -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
                Test-SafeguardAssetAccountPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetToUse $DirectoryToUse -AccountToUse $AccountToUse
                Test-SafeguardAssetAccountPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AccountToUse $AccountToUse

Run change password on a directory account managed by Safeguard via the Web API.

Run a task to change the password on a directory account managed by Safeguard. This rotates the
password on the actual directory and stores the new value in Safeguard.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToUse
An integer containing the ID of the directory to change password for or a string containing the name.

An integer containing the ID of the account to change password for or a string containing the name.


JSON response from Safeguard Web API.

Invoke-SafeguardDomainAccountPasswordChange -AccessToken $token -Appliance -Insecure domain.blah.corp administrator

Invoke-SafeguardDomainAccountPasswordChange -AccountToUse administrator

function Invoke-SafeguardDirectoryAccountPasswordChange

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
            $local:DirectoryId = (Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DirectoryId $local:DirectoryId $AccountToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $AccountToUse)
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "DirectoryAccounts/$($local:AccountId)/ChangePassword" -LongRunningTask -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
                Invoke-SafeguardAssetAccountPasswordChange -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetToUse $DirectoryToUse -AccountToUse $AccountToUse
                Invoke-SafeguardAssetAccountPasswordChange -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AccountToUse $AccountToUse

Remove a directory account from Safeguard via the Web API.

Remove a directory account from Safeguard. Make sure it is not in use before
you remove it.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.

.PARAMETER DirectoryToUse
An integer containing the ID of the directory to remove the account from or a string containing the name.

.PARAMETER AccountToDelete
An integer containing the ID of the directory account to remove or a string containing the name.


JSON response from Safeguard Web API.

Remove-SafeguardDirectoryAccount -AccessToken $token -Appliance -Insecure 5 23

Remove-SafeguardDirectoryAccount administrator

function Remove-SafeguardDirectoryAccount

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

        if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
            $local:DirectoryId = (Resolve-SafeguardDirectoryId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $DirectoryToUse)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -DirectoryId $local:DirectoryId $AccountToDelete)
            $local:AccountId = (Resolve-SafeguardDirectoryAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $AccountToDelete)
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "DirectoryAccounts/$($local:AccountId)" -Version 2
        if ($_.Exception.HttpStatusCode -eq 404 -or $_.Exception.HttpStatusCode -eq 405)
            if ($PSBoundParameters.ContainsKey("DirectoryToUse"))
                Remove-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AssetToUse $DirectoryToUse -AccountToDelete $AccountToDelete
                Remove-SafeguardAssetAccount -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -AccountToDelete $AccountToDelete

Get directory migration data from Safeguard audit log via the Web API.

Early versions of Safeguard treated directories as a dual entity that was
part identity provider (used for Safeguard user login) and part asset
(used for managing Safeguard accounts). Safeguard version 2.7 and greater
removed the concept of directories as a dual entity and split them into
identity providers and assets. This cmdlet will get a report of the migrated
directories and what their new identity provider and asset IDs are.

Use the -Verbose parameter to dsee additional information.

.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.

.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.

Ignore verification of Safeguard appliance SSL certificate.


Get-SafeguardDirectoryMigrationData -Verbose

function Get-SafeguardDirectoryMigrationData

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }
    Import-Module -Name "$PSScriptRoot\sg-utilities.psm1" -Scope Local

    if (-not (Test-SafeguardMinVersionInternal -Appliance $Appliance -Insecure:$Insecure -MinVersion 2.7))
        throw "Directory migration data is only available for Safeguard version 2.7 and greater"

    $local:DirectoriesCreated = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core GET "AuditLog/ObjectChanges/Directory" `
        -Parameters @{filter = "EventName eq 'DirectoryCreated'"; fields = "LogTime,EventName,ObjectName,ObjectId";
                      startDate = (Get-EntireAuditLogStartDateAsString)})
    Write-Verbose "Directories Created:"
    Write-Verbose ($local:DirectoriesCreated | Format-Table | Out-String)

    $local:DirectoriesDeleted = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core GET "AuditLog/ObjectChanges/Directory" `
        -Parameters @{filter = "EventName eq 'DirectoryDeleted'"; fields = "LogTime,EventName,ObjectName,ObjectId";
                      startDate = (Get-EntireAuditLogStartDateAsString)})
    Write-Verbose "Directories Deleted:"
    Write-Verbose ($local:DirectoriesDeleted | Format-Table | Out-String)

    $local:IdentityProvidersCreated = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core GET "AuditLog/ObjectChanges/IdentityProvider" `
        -Parameters @{filter = "EventName eq 'IdentityProviderCreated'"; fields = "LogTime,EventName,ObjectName,ObjectId";
                      startDate = (Get-EntireAuditLogStartDateAsString)})
    Write-Verbose "Directory Identity Providers Created:"
    Write-Verbose ($local:IdentityProvidersCreated | Format-Table | Out-String)

    $local:DirectoryAssetsCreated = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core GET "AuditLog/ObjectChanges/Asset" `
        -Parameters @{filter = "EventName eq 'AssetCreated' and NewValue contains '`"IsDirectory`":true'";
                      fields = "LogTime,EventName,ObjectName,ObjectId";
                      startDate = (Get-EntireAuditLogStartDateAsString)})
    Write-Verbose "Directory Assets Created:"
    Write-Verbose ($local:DirectoryAssetsCreated | Format-Table | Out-String)

    Write-Verbose "Pruning Deleted Directories..."
    $local:MigratedDirectories = @()
    $local:DirectoriesCreated | ForEach-Object {
        if (-not ($_.ObjectId -in $local:DirectoriesDeleted.ObjectId))
            $local:MigratedDirectories += $_
    Write-Verbose "$($local:DirectoriesCreated.Count - $local:MigratedDirectories.Count) directories pruned from migration data set"

    Write-Verbose "Calculating Directory Migration Data..."
    $local:MigrationData = @()
    $local:IdentityProvidersCreated | ForEach-Object {
        $local:IdentityProvder = $_
        $local:MigratedDirectories | ForEach-Object {
            if ($local:IdentityProvder.ObjectName -eq $_.ObjectName)
                $local:MigrationData += (New-Object PSObject -Property ([ordered]@{
                    SchemaType = "IdentityProvider";
                    Name = $_.ObjectName;
                    OldId = $_.ObjectId;
                    NewId = $local:IdentityProvder.ObjectId
    $local:DirectoryAssetsCreated | ForEach-Object {
        $local:DirectoryAsset = $_
        $local:MigratedDirectories | ForEach-Object {
            if ($local:DirectoryAsset.ObjectName -eq $_.ObjectName)
                $local:MigrationData += (New-Object PSObject -Property ([ordered]@{
                    SchemaType = "Directory";
                    Name = $_.ObjectName;
                    OldId = $_.ObjectId;
                    NewId = $local:DirectoryAsset.ObjectId
