This page is retired and no longer updated. Project documentation and download links are moved to their new home: PowerShell PKI Module.

Remove-CAAccessControlEntry

Synopsis

Removes existing Access Control Entry (ACE) from a Certification Authority's Access Control List (ACL) for a specified user account or group.

Syntax

Remove-CAAccessControlEntry [-InputObject] <CASecurityDescriptor[]> [[-User] <NTAccount[]>] [<CommonParameters>]

Description

Removes existing Access Control Entry (ACE) from a Certification Authority's Access Control List (ACL) for a specified user account or group.

Parameters

-InputObject <CASecurityDescriptor[]>

Specifies the current access control list (ACL) object to modify. This object can be retrieved by running either, Get-CASecurityDescriptor or Add-CAAccessControlEntry commands.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-User <NTAccount[]>

Specifies user or group account name to remove from ACL.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.Security.AccessControl.CASecurityDescriptor

Outputs

PKI.Security.AccessControl.CASecurityDescriptor

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith","JohnWayne" | Set-CASecurityDescriptor -RestartCA

This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration. After command completion CA services will be restarted to immediately apply changes.

Example 2

PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow")
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA

This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CASecurityDescriptor
Add-CAAccessControlEntry
Set-CASecurityDescriptor

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions

Share this article: