We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

Add-OnlineResponderAcl

Synopsis

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

Syntax

Add-OnlineResponderAcl -InputObject <OcspResponderSecurityDescriptor[]> -Identity <NTAccount[]> -AccessType <AccessControlType> -AccessMask <OcspResponderRights> [<CommonParameters>]

Add-OnlineResponderAcl -InputObject <OcspResponderSecurityDescriptor[]> -AccessRule <OcspResponderAccessRule[]> [<CommonParameters>]

Description

Adds new Access Control Entry (ACE) to a Online Responder's Access Control List (ACL).

This command performs ACL object change. Use Set-OnlineResponderAcl to write modified ACL to Online Responder configuration.

Note: Online Responder security descriptor supports only one ACE per principal. Therefore, if added prinicpal already has explicit permissions on Online Responder server, existing ACE is updated.

Parameters

-InputObject <OcspResponderSecurityDescriptor[]>

Specifies an ACL object of Online Responder. This object can be retrieved by running Get-OnlineResponderAcl command.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-AccessType <AccessControlType>

Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AccessMask <OcspResponderRights>

Specifies the access mask to apply to entities specified in '-Identity' parameter.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Identity <NTAccount[]>

Specifies a user, computer or a group to add to ACL.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AccessRule <OcspResponderAccessRule[]>

Specifies the new access control entry object to add.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Security.AccessControl.OcspResponderSecurityDescriptor

Outputs

SysadminsLV.PKI.Security.AccessControl.OcspResponderSecurityDescriptor

Notes

Examples

Example 1

PS C:\> Connect-OnlineResponder "ocsp1.example.com" | Get-OnlineResponderAcl | Add-OnlineResponderAcl -Identity "OCSP Admins" -AccessType "Allow" -AccessMask "Manage" | Set-OnlineResponderAcl

In this example, existing Access Control List (ACL) object is retrieved from Online Responder server hosted on "ocsp1.example.com" and added new "Allow" Access Control Entry (ACE) for group "OCSP Admins" with "Manage" access and writes new ACL back to Online Responder configuration.

Example 2

PS C:\> $SourceACL = Connect-OnlineResponder -ComputerName "ocsp1.example.com" | Get-OnlineResponderAcl
PS C:\> $DestinationACL = Connect-OnlineResponder -ComputerName "ocsp3.example.com" | Get-OnlineResponderAcl | Remove-OnlineResponderAcl -Force
PS C:\> $DestinationACL | Add-OnlineResponderAcl -AccessRule $SourceACL.Access | Set-OnlineResponderAcl

This example shows techniques used to copy and replace ACL from source Online Responder to destination Online Responder. a) First line retrieves ACL from source Online Responder hosted on "ocsp1.example.com". b) Second line retrieves existing ACL from destination Online Responder hosted on "ocsp3.example.com" and clears all Access Control Entries (ACE). c) Third line copies ACEs from source Online Responder to destination Online Responder.

Related links

Connect-OnlineResponder
Get-OnlineResponderAcl
Remove-OnlineResponderAcl
Set-OnlineResponderAcl

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions