Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: https://github.com/Crypt32/PSPKI

Disable-InterfaceFlag

[This command requires installed Remote Server Administration Tools (RSAT)]

Disable-InterfaceFlag

Synopsis

Disables Active Directory Certificate Services (AD CS) management or request interface settings.

Syntax

Disable-InterfaceFlag [-InputObject] <InterfaceFlag[]> [-Flag] <InterfaceFlagEnum> [-RestartCA] [<CommonParameters>]

Description

Disables Active Directory Certificate Services (AD CS) management or request interface settings.

Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.

Parameters

-InputObject <InterfaceFlag[]>

Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.

Required? True
Position? 0
Default value  
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Flag <InterfaceFlagEnum>

Specifies the flag (or multiple flags) to disable. The following flags can be used:

LockICertRequest - the behavior for this flag is not defined and it should not be used.
NoRemoteICertRequest - the CA will not issue any certificates or hold pending any requests for remote users.
NoLocalICertRequest - the CA will not issue any certificates or hold pending any requests for local users.
NoRPCICertRequest - the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface.
NoRemoteICertAdmin - no access to Certificate Services Remote Administration Protocol methods for remote callers.
NoLocalICertAdmin - no access to Certificate Services Remote Administration Protocol methods for local callers.
NoRemoteICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for remote callers.
NoLocalICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for local callers.
NoSnapshotBackup - the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface.
EnforceEncryptICertRequest - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations.
EnforceEncryptICertAdmin - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface).
EnableExitKeyRetrieval - enables an exit algorithm to retrieve the Encrypted private-Key Blob.
EnableAdminAsAuditor - only CA administrators can update the CA audit filter settings.

Required? True
Position? 1
Default value  
Accept pipeline input? false
Accept wildcard characters? False

-RestartCA <SwitchParameter>

Restarts CertSvc service on the specified CA server to immediately apply changes.

Required? False
Position? named
Default value  
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.Flags.InterfaceFlag

Outputs

PKI.CertificateServices.Flags.InterfaceFlag

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoLocalIcertRequest" -RestartCA

This example removes local enrollment restriction for "company-CA01" CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Example 2

PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoRemoteICertAdminBackup" -RestartCA

This example removes remote backup restrictions for all Enterprise CAs in the current Active Directory forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-InterfaceFlag
Enable-InterfaceFlag
Restore-InterfaceFlagDefault

PowerShell Support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions

Comments:

Captcha