Webinar: PKI Insights - Best Practices for Improving your PKI Posture Management Program for your Digital Certificates and Encryption by PKI Solutions
Close

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

Remove-CertificateTemplateAcl

Synopsis

Removes an entity (user, computer, or security group) from the certificate template ACL.

Syntax

Remove-CertificateTemplateAcl -InputObject <CertTemplateSecurityDescriptor[]> -Identity <NTAccount[]> -AccessType <AccessControlType> [<CommonParameters>]

Remove-CertificateTemplateAcl -InputObject <CertTemplateSecurityDescriptor[]> -Force <SwitchParameter> [<CommonParameters>]

Description

Removes an entity (user, computer, or security group) from the certificate template ACL.

This command only prepares new certificate template ACL object. In order to write it to the actual object use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

Parameters

-AccessType <AccessControlType>

Specifies the AccessType to remove. The value can be either Allow or Deny. All Access Control Entries (ACE) with specified AccessType will be removed from ACL.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-InputObject <CertTemplateSecurityDescriptor[]>

Specifies the current access control list (ACL) object to modify. This object can be retrieved by running Get-CertificateTemplateAcl command.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Force <SwitchParameter>

Removes all Access Control Entries from the current ACL.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Identity <NTAccount[]>

Specifies an account (user, computer or security group) to remove from the certificate template ACL.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Security.AccessControl.CertTemplateSecurityDescriptor

Outputs

SysadminsLV.PKI.Security.AccessControl.CertTemplateSecurityDescriptor

Notes

Examples

Example 1

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -Identity "OldWebServer" -AccessType Allow | Set-CertificateTemplateAcl

This command removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Related links

Get-CertificateTemplate
Get-CertificateTemplateAcl
Add-CertificateTemplateAcl
Set-CertificateTemplateAcl

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions