[This command is not available in non-domain environments]
NAME
Add-CertificateTemplateAcl
SYNOPSIS
Adds an entity (user, computer, or security group) to the certificate template ACL.
SYNTAX
Add-CertificateTemplateAcl [-InputObject] <SecurityDescriptor> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <TemplateRight[]>] [<CommonParameters>]
DESCRIPTION
Adds an entity (user, computer, or security group) to the certificate template ACL.
This command only prepares new certificate template ACL object. In order to write it to the actual object in Active Directory use this command's result to
Set-CertificateTemplateAcl cmdlet (see Examples section).
Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.
PARAMETERS
-InputObject <SecurityDescriptor>
Specifies an ACL object of certificate template. This object can be retrieved by running
Get-CertificateTemplateAcl command.
| Required? |
true |
| Position? |
1 |
| Default value |
|
| Accept pipeline input? |
true (ByValue, ByPropertyName) |
| Accept wildcard characters? |
false |
-User <NTAccount[]>
specifies a user, computer or a group to add to ACL. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts
and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed.
| Required? |
false |
| Position? |
2 |
| Default value |
|
| Accept pipeline input? |
false |
| Accept wildcard characters? |
false |
-AccessType <AccessControlType>
Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.
| Required? |
false |
| Position? |
3 |
| Default value |
|
| Accept pipeline input? |
false |
| Accept wildcard characters? |
false |
-AccessMask <TemplateRight[]>
Specifies a set of permissions to assign. The following values can be used: 'FullControl', 'Read', 'Write', 'Enroll', 'Autoenroll'.
| Required? |
false |
| Position? |
4 |
| Default value |
|
| Accept pipeline input? |
false |
| Accept wildcard characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
INPUTS
PKI.Security.SecurityDescriptor
OUTPUTS
PKI.Security.SecurityDescriptor
NOTES
Author: Vadims Podans
Blog: http://en-us.sysadmins.lv
EXAMPLES
-------------- Example 1 --------------
C:\PS>Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll
This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.
RELATED LINKS
Get-CertificateTemplate
Get-CertificateTemplateAcl
Remove-CertificateTemplateAcl
Set-CertificateTemplateAcl