Black Friday Special! Get 30% off Training Subscriptions with code BLACKFRIDAY30 at checkout!
Close

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

Set-CertificateTemplateAcl

Synopsis

Changes the security descriptor of a certificate template.

Syntax

Set-CertificateTemplateAcl [-InputObject] <CertTemplateSecurityDescriptor[]> [<CommonParameters>]

Description

The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

Parameters

-InputObject <CertTemplateSecurityDescriptor[]>

Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl, Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Security.AccessControl.CertTemplateSecurityDescriptor

Outputs

SysadminsLV.PKI.Security.AccessControl.CertTemplateSecurityDescriptor

Notes

Examples

Example 1

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl

This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.

Example 2

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl

This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Related links

Get-CertificateTemplate
Get-CertificateTemplateAcl
Add-CertificateTemplateAcl
Remove-CertificateTemplateAcl

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions