Sysadmins LV
Vadims Podāns
Vadims Podāns
  • I work at
PKI Solutions
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool
This page is retired and no longer updated. Project documentation and download links are moved to their new home: PowerShell PKI Module.
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

Add-CertificateTemplateAcl

Synopsis

Adds an entity (user, computer, or security group) to the certificate template ACL.

Syntax

Add-CertificateTemplateAcl [-InputObject] <SecurityDescriptor2[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <TemplateRight[]>] [<CommonParameters>]

Description

Adds an entity (user, computer, or security group) to the certificate template ACL.

This command only prepares new certificate template ACL object. In order to write it to the actual object in Active Directory use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

Parameters

-InputObject <SecurityDescriptor2[]>

Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-User <NTAccount[]>

specifies a user, computer or a group to add to ACL. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AccessType <AccessControlType>

Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.

Required? False
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AccessMask <TemplateRight[]>

Specifies a set of permissions to assign. The following values can be used: 'FullControl', 'Read', 'Write', 'Enroll', 'Autoenroll'.

Required? False
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.Security.SecurityDescriptor[]

Outputs

PKI.Security.SecurityDescriptor[]

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl

This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.

Related links

Get-CertificateTemplate
Get-CertificateTemplateAcl
Remove-CertificateTemplateAcl
Set-CertificateTemplateAcl

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
Share this article: