Webinar: PKI Insights - Best Practices for Improving your PKI Posture Management Program for your Digital Certificates and Encryption by PKI Solutions

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)



Changes the security descriptor of a certificate template.


Set-CertificateTemplateAcl [-InputObject] <CertTemplateSecurityDescriptor[]> [<CommonParameters>]


The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.


-InputObject <CertTemplateSecurityDescriptor[]>

Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl, Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).







Example 1

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl

This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.

Example 2

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl

This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Related links


Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions