Gets Certification Authority's Access Control List (ACL).
Get-CASecurityDescriptor [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Gets Certification Authority's Access Control List (ACL). This ACL controls the access level to the specified CA server.
Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
PKI.CertificateServices.CertificateAuthority
PKI.Security.AccessControl.CASecurityDescriptor
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor
Retrievex current Access Control List from CA server installed on "ca01.company.com".
PS C:\> $ACE = @(New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow") PS C:\> $ACE += New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow" PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA
First two lines create new access control entries: -- first creates ACE for John Wayne and grants him CA manager permissions. -- second creates ACE for John Smith and grants him certificate manager permissions. Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes. Note that if ACL already contains entry for user account to be added, new ACE will not be added. Instead, use techniques described in Example 4.
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith","JohnWayne" | Set-CASecurityDescriptor -RestartCA
This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration. After command completion CA services will be restarted to immediately apply changes.
PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow") PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA
This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.
Get-CertificationAuthority
Connect-CertificationAuthority
Add-CAAccessControlEntry
Remove-CAAccessControlEntry
Set-CASecurityDescriptor