Changes the security descriptor of a certificate template.
Set-CertificateTemplateAcl [-InputObject] <SecurityDescriptor2[]> [<CommonParameters>]
The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.
Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.
Specifies an ACL object of certificate template. This object can be retrieved by running Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
PKI.Security.SecurityDescriptor
PKI.Security.SecurityDescriptor
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl
This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.
PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl
This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).
Get-CertificateTemplate
Get-CertificateTemplateAcl
Add-CertificateTemplateAcl
Remove-CertificateTemplateAcl