Add-CertificationAuthorityAcl

Synopsis

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

Syntax

Add-CertificationAuthorityAcl -InputObject <CertSrvSecurityDescriptor[]> -Identity <NTAccount[]> -AccessType <AccessControlType> -AccessMask <CertSrvRights> [<CommonParameters>]

Add-CertificationAuthorityAcl -InputObject <CertSrvSecurityDescriptor[]> -AccessRule <CertSrvAccessRule[]> [<CommonParameters>]

Description

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

This command performs ACL object change. Use Set-CertificationAuthorityAcl to write modified ACL to CA configuration.

Note: CA security descriptor supports only one ACE per principal. Therefore, if added prinicpal already has explicit permissions on CA server, existing ACE is updated.

Parameters

-InputObject <CertSrvSecurityDescriptor[]>

Specifies an ACL object of Certification Authority. This object can be retrieved by running Get-CertificationAuthorityAcl command.

-AccessType <AccessControlType>

Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.

-AccessMask <CertSrvRights>

Specifies the access mask to apply to entities specified in '-Identity' parameter.

-Identity <NTAccount[]>

Specifies a user, computer or a group to add to ACL.

-AccessRule <CertSrvAccessRule[]>

Specifies an ACL object of Certification Authority. This object can be retrieved by running Get-CertificationAuthorityAcl command.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor

Outputs

SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority "ca01.example.com" | Get-CertificationAuthorityAcl | Add-CertificationAuthorityAcl -Identity "Cert Managers" -AccessType "Allow" -AccessMask "ManageCertificates" | Set-CertificationAuthorityAcl -RestartCA

In this example, existing Access Control List (ACL) object is retrieved from CA server hosted on "ca01.example.com" and added new "Allow" Access Control Entry (ACE) for group "Cert Managers" with "ManageCertificates" access and writes new ACL back to CA server configuration. CA service is restarted to immediately apply changes.

Example 2

PS C:\> $SourceACL = Get-CertificationAuthority "ca01.example.com" | Get-CertificationAuthorityAcl
PS C:\> $DestinationACL = Get-CertificationAuthority "ca01.example.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -Force
PS C:\> $DestinationACL | Add-CertificationAuthorityAcl -AccessRule $SourceACL.Access | Set-CertificationAuthorityAcl -RestartCA

This example shows techniques used to copy and replace ACL from source CA to destination CA. a) First line retrieves ACL from source CA server hosted on "ca01.example.com". b) Second line retrieves existing ACL from destination CA server hosted on "ca02.example.com" and clears all Access Control Entries (ACE). c) Third line copies ACEs from source CA to destination CA. Destination CA service is restarted to immediately apply new ACL.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CertificationAuthorityAcl
Remove-CertificationAuthorityAcl
Set-CertificationAuthorityAcl

Minimum PowerShell version support

• Windows PowerShell 3.0

Operating System Support

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows 11
• Windows Server 2008 R2 all editions
• Windows Server 2012 all editions
• Windows Server 2012 R2 all editions
• Windows Server 2016 all editions
• Windows Server 2019 all editions
• Windows Server 2022 all editions