Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: GitHub
This command requires installed Remote Server Administration Tools (RSAT)

Set-CertificateTemplateAcl

Synopsis

Changes the security descriptor of a certificate template.

Syntax

Set-CertificateTemplateAcl [-InputObject] <SecurityDescriptor2[]> [<CommonParameters>]

Description

The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

Parameters

-InputObject <SecurityDescriptor2[]>

Specifies an ACL object of certificate template. This object can be retrieved by running Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.Security.SecurityDescriptor

Outputs

PKI.Security.SecurityDescriptor

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl

This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.

Example 2

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl

This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Related links

Get-CertificateTemplate
Get-CertificateTemplateAcl
Add-CertificateTemplateAcl
Remove-CertificateTemplateAcl

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions

Share this article:

Comments:

cypher
cypher 23.11.2016 20:38 (GMT+2) Set-CertificateTemplateAcl

First example is incorrect.  Should be:

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateACL | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateACL

 

Also, to set a computer, put a $ after the computer name, like so:

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User ServerName$ -AccessType Allow -AccessMask Read, Enroll
 

cypher
cypher 23.11.2016 20:40 (GMT+2) Set-CertificateTemplateAcl

Sorry, bad copy-paste, example for using a computer name should be:

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateACL | Add-CertificateTemplateAcl -User ServerName$ -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateACL

 


Post your comment:

Please, solve this little equation and enter result below. Captcha