Privilege Management API Example Use Cases

Introduction

In the following section, we review a few typical use cases. They all assume that your config is a local file in the default location and that you have already loaded the modules required.

When adapting these examples to your use case, it is useful to reference PowerShell API.chm which resides in the PowerShell directory. This is usually located at:

C:/Program Files/Avecto/Privilege Guard Client/PowerShell     

For more information, please see Privilege Management Powershell API Reference Guide.

Application Groups

Add a New Application Definition (FileName contains) to an Existing Application Group with a New Application Definition
# Get settings
$PGConfig = Get-DefendpointSettings -LocalFile # Find target Application Group
$TargetAppGroup = $PGConfig.ApplicationGroups | Where-Object {$_.name -eq 'YourApplicationGroupName'} # Create an empty application definition $PGApp = new-object Avecto.Defendpoint.Settings.Application $PGConfig # Populate the things you want to $PGApp.Description = "Microsoft Calculator" $PGApp.Type = [Avecto.Defendpoint.Settings.ApplicationType]::Executable $PGApp.CheckFileName = 1 # 0 = Disabled 1 = Enabled $PGApp.FileName = "Calc.exe" $PGApp.FileNameStringMatchType = 2 # 2 = Contains (see StringMatchType in PowerShell API.chm) $PGApp.OpenDlgDropRights = 1 # Add the application definition to the target Application Group $TargetAppGroup.Applications.Add($PGApp) # Save the settings Set-DefendpointSettings -SettingsObject $PGConfig -LocalFile
Add a new Application Definition to an Existing Application Group with Get-DefendpointFileInformation
# Get settings
$PGConfig = Get-DefendpointSettings -LocalFile

# Find target Application Group
$TargetAppGroup = $PGConfig.ApplicationGroups | Where-Object {$_.name -eq 'YourApplicationGroupName'}

# Get the details of the file(s) you want to match on
$PGApp1 = Get-DefendpointFileInformation -Path 'C:\Windows\System32\cmd.exe'		

# Add the list of application definitions to the target app group
$TargetAppGroup.Applications.AddRange($PGApp1)

# Save the settings
Set-DefendpointSettings -SettingsObject $PGConfig -LocalFile

Account Filters

Add an Account to an Existing Account Filter
# Get the local settings file
$PGConfig = Get-DefendpointSettings -LocalFile

# Find the Workstyle you want to work with (Workstyles are known as policies here)
$TargetWorkstyle = $PGConfig.Policies | Where-Object {$_.name -eq 'YourWorkstyleName'}

# Get first account filter in list
$TargetAccountFilterCollection = $TargetWorkstyle.Filters.AccountsFilter[0]

# Create an account object and populate it’s values
$Account = New-Object Avecto.Defendpoint.Settings.Account
$Account.Name = Get-WmiObject win32_useraccount | Where-Object {$_.Name -eq 'AccountName' -and
$_.Domain -eq 'DomainName'} | % {return $_.Caption}
$Account.SID = Get-WmiObject win32_useraccount | Where-Object {$_.Name -eq 'AccountName' -and
$_.Domain -eq ‘DomainName’} | % {return $_.SID}


# Add new account to the filter collection
$TargetAccountFilterCollection.Accounts.WindowsAccounts.Add($Account)
# Save Settings
Set-DefendpointSettings -SettingsObject $PGConfig -LocalFile