Add-CertificateTemplateAcl
Synopsis
Adds new Access Control Entry (ACE) to a certificate template Access Control List (ACL).
Syntax
Add-CertificateTemplateAcl -InputObject <CertTemplateSecurityDescriptor[]> -Identity <NTAccount[]> -AccessType <AccessControlType> -AccessMask <CertTemplateRights> [<CommonParameters>]
Add-CertificateTemplateAcl -InputObject <CertTemplateSecurityDescriptor[]> -AccessRule <CertTemplateAccessRule[]> [<CommonParameters>]
Description
Adds new Access Control Entry (ACE) to a certificate template Access Control List (ACL).
This command only prepares new certificate template ACL object. In order to write it to the actual object in Active Directory use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).
Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.
Parameters
-AccessType <AccessControlType>
Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
-InputObject <CertTemplateSecurityDescriptor[]>
Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | True |
| Accept wildcard characters? | False |
-AccessMask <CertTemplateRights>
Specifies a set of permissions to assign. The following values can be used: 'FullControl', 'Read', 'Write', 'Enroll', 'Autoenroll'.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
-Identity <NTAccount[]>
Specifies a user, computer or a group to add to ACL. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
-AccessRule <CertTemplateAccessRule[]>
Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)
Inputs
SysadminsLV.PKI.Security.AccessControl.CertTemplateSecurityDescriptor
Outputs
SysadminsLV.PKI.Security.AccessControl.CertTemplateSecurityDescriptor
Notes
Examples
Example 1
PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Add-CertificateTemplateAcl -Identity "Web Servers Global" -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl
This commands adds 'Web Servers Global' global security group to the certificate template 'WebServers' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.
Example 2
PS C:\> $SourceACL = Get-CertificateTemplate -Name "WebServer" | Get-CertificateTemplateAcl PS C:\> $DestinationACL = Get-CertificateTemplate -Name "WebServerV2" | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -Force PS C:\> $DestinationACL | Add-CertificateTemplateAcl -AccessRule $SourceACL.Access | Set-CertificateTemplateAcl
This example shows techniques used to copy and replace ACL from source certificate template to destination certificate template. a) First line retrieves ACL from source certificate template with common name "WebServer". b) Second line retrieves existing ACL from destination certificate template and clears all Access Control Entries (ACE). c) Third line copies ACEs from source certificate template to destination certificate template.
Related links
- Get-CertificateTemplate
- Get-CertificateTemplateAcl
- Remove-CertificateTemplateAcl
- Set-CertificateTemplateAcl
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions
- Windows Server 2025 all editions