Set-CertificationAuthorityAcl

Synopsis

Writes modified access control list (ACL) to Certification Authority configuration.

Syntax

Set-CertificationAuthorityAcl [-InputObject] <CertSrvSecurityDescriptor[]> [-RestartCA] [<CommonParameters>]

Description

Writes modified access control list (ACL) to Certification Authority configuration.

Note: new ACL will not have effect until CA service is restarted.

Parameters

-RestartCA <SwitchParameter>

Restarts CA service on the specified CA server to immediately apply changes.

-InputObject <CertSrvSecurityDescriptor[]>

Specifies the current access control list (ACL) object to write. This object can be retrieved by running either, Add-CertificationAuthorityAcl or Remove-CertificationAuthorityAcl commands.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)

Inputs

SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor

Outputs

SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor

Notes

Examples

Example 1

PS C:\> $ACE = @(New-Object SysadminsLV.PKI.Security.AccessControl.CertSrvAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow")
PS C:\> $ACE += New-Object SysadminsLV.PKI.Security.AccessControl.CertSrvAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow"
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Add-CertificationAuthorityAcl -AccessRule $ACE | Set-CertificationAuthorityAcl -RestartCA

First two lines create new access control entries:
-- first creates ACE for John Wayne and grants him CA manager permissions.
-- second creates ACE for John Smith and grants him certificate manager permissions.
Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes.

Note that if ACL already contains entry for user account to be added, new ACE will not be added. Instead, use techniques described in Example 4.

Example 2

PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -User "jsmith","JohnWayne" | Set-CertificationAuthorityAcl -RestartCA

This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration.
After command completion CA services will be restarted to immediately apply changes.

Example 3

PS C:\> $ACE = New-Object SysadminsLV.PKI.Security.AccessControl.CertSrvAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow")
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -User "jsmith" | Add-CertificationAuthorityAcl -AccessRule $ACE | Set-CertificationAuthorityAcl -RestartCA

This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.

Related links

• Get-CertificationAuthority
• Connect-CertificationAuthority
• Get-CertificationAuthorityAcl
• Add-CertificationAuthorityAcl
• Remove-CertificationAuthorityAcl

Minimum PowerShell version support

• Windows PowerShell 3.0

Operating System Support

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows 11
• Windows Server 2008 R2 all editions
• Windows Server 2012 all editions
• Windows Server 2012 R2 all editions
• Windows Server 2016 all editions
• Windows Server 2019 all editions
• Windows Server 2022 all editions
• Windows Server 2025 all editions