Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: https://github.com/Crypt32/PSPKI

Set-CertificateTemplateAcl

[This command requires installed Remote Server Administration Tools (RSAT)]

Set-CertificateTemplateAcl

Synopsis

Changes the security descriptor of a certificate template.

Syntax

Set-CertificateTemplateAcl [-InputObject] <SecurityDescriptor2[]> [<CommonParameters>]

Description

The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

Parameters

-InputObject <SecurityDescriptor2[]>

Specifies an ACL object of certificate template. This object can be retrieved by running Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.

Required? True
Position? 0
Default value  
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.Security.SecurityDescriptor

 

Outputs

PKI.Security.SecurityDescriptor

 

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll

This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.

Example 2

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl

This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Related links

Get-CertificateTemplate
Get-CertificateTemplateAcl
Add-CertificateTemplateAcl
Remove-CertificateTemplateAcl

PowerShell Support

  • PowerShell 3.0

Operating System Support

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions

Comments:

Aaron
Aaron 20.10.2016 11:48 (GMT+2)

It appears this doesn't work at least on Server 2016...

Even when running the example commands, you get errors "Get-CertificateTemplate : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input."

:(

Vadims Podāns
Vadims Podāns 24.10.2016 22:28 (GMT+2)
cypher
cypher 23.11.2016 20:38 (GMT+2)

First example is incorrect.  Should be:

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateACL | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateACL

 

Also, to set a computer, put a $ after the computer name, like so:

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User ServerName$ -AccessType Allow -AccessMask Read, Enroll
 

cypher
cypher 23.11.2016 20:40 (GMT+2)

Sorry, bad copy-paste, example for using a computer name should be:

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateACL | Add-CertificateTemplateAcl -User ServerName$ -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateACL

 

Captcha