Removes an entity (user, computer, or security group) from the certificate template ACL.
Remove-CertificateTemplateAcl [-InputObject] <SecurityDescriptor2[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
Removes an entity (user, computer, or security group) from the certificate template ACL.
This command only prepares new certificate template ACL object. In order to write it to the actual object use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).
Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.
Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
Specifies an account (user, computer or security group) to remove from the certificate template ACL.
Required? | False |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies the AccessType to remove. The value can be either Allow or Deny. All Access Control Entries (ACE) with specified AccessType will be removed from ACL.
Required? | False |
Position? | 2 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
PKI.Security.SecurityDescriptor
PKI.Security.SecurityDescriptor
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl
This command removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).
Get-CertificateTemplate
Get-CertificateTemplateAcl
Add-CertificateTemplateAcl
Set-CertificateTemplateAcl