Remove-CertificationAuthorityAcl
Synopsis
Removes existing Access Control Entry (ACE) from a Certification Authority's Access Control List (ACL) for a specified user account or group.
Syntax
Remove-CertificationAuthorityAcl -InputObject <CertSrvSecurityDescriptor[]> -Identity <NTAccount[]> -AccessType <AccessControlType> [<CommonParameters>]
Remove-CertificationAuthorityAcl -InputObject <CertSrvSecurityDescriptor[]> -Force <SwitchParameter> [<CommonParameters>]
Description
Removes existing Access Control Entry (ACE) from a Certification Authority's Access Control List (ACL) for a specified user account or group.
Parameters
-InputObject <CertSrvSecurityDescriptor[]>
Specifies the current access control list (ACL) object to modify. This object can be retrieved by running Get-CertificationAuthorityAcl command.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | True |
| Accept wildcard characters? | False |
-AccessType <AccessControlType>
Specifies the AccessType to remove. The value can be either Allow or Deny. All Access Control Entries (ACE) with specified AccessType will be removed from ACL.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
-Force <SwitchParameter>
Removes all Access Control Entries from the current ACL.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
-Identity <NTAccount[]>
Specifies user or group account name to remove from Certification Authority ACL.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)
Inputs
SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor
Outputs
SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor
Notes
Examples
Example 1
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -Identity "jsmith","JohnWayne" -AccessType Allow | Set-CertificationAuthorityAcl -RestartCA
This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to "John Smith" and "John Wayne" and writes modified ACL to CA configuration.
After command completion CA service will be restarted to immediately apply changes.
Related links
- Get-CertificationAuthority
- Connect-CertificationAuthority
- Get-CertificationAuthorityAcl
- Add-CertificationAuthorityAcl
- Set-CertificationAuthorityAcl
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions
- Windows Server 2025 all editions