< Back
Add-ADObjectAce
Post
NAME Add-ADObjectAce
SYNOPSIS
Adds a new Access Control Entry to an Access Control List defined on an Active Directory Object.
SYNTAX
Add-ADObjectAce -Identity <Object> [-Server <String>] -IdentityReference <String> -ActiveDirectoryRights
<String[]> [-ObjectTypeName <String>] [-InheritedObjectTypeName <String>] [-AccessControlType <String>]
[-InheritanceType <String>] [-Credential <PSCredential>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
Adds a new Access Control Entry (ACE) to an Access Control List (ACL) defined on an Active Directory Object.
PARAMETERS
-Identity <Object>
The Identity of the Active Directory Object in either distinguishedName or GUID format or by reference.
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Server <String>
The target Active Directory Server / Domain Controller.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReference <String>
The IdentityReference that will be defined on the ACE (DOMAIN\\USERNAME).
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ActiveDirectoryRights <String[]>
The Active Directory Rights that will be defined on the ACE.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ObjectTypeName <String>
The Object Type Name that will be defined on the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-InheritedObjectTypeName <String>
The Inherited Object Type Name that will be defined on the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AccessControlType <String>
The Access Control Type (Allow / Deny) that will be defined on the ACE.
Required? false
Position? named
Default value Allow
Accept pipeline input? false
Accept wildcard characters? false
-InheritanceType <String>
The Inheritance Type that will be defined on the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Credential to use.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
Ignore any should process warnings and apply the new Ace.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
The identity parameter of the CmdLet accepts either a distinguishedName or ObjectGUID or AD Objects. AD Objects
which are passed by reference must include either a distinguishedName or ObjectGUID property.
OUTPUTS
None unless -WhatIf parameter is used in which case a cActiveDirectorySecurity.ACE object is returned.
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Add-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User
Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName
User -InheritanceType Descendents -WhatIf
Adds a new ACE to ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB User
Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name
"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants".
As the -WhatIf parameter is specified the format of the new ACE is displayed, without being applied.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Add-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User
Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName
User -InheritanceType Descendents -Server dc1.contoso.com
Adds a new ACE to ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB User
Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name
"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants" targeting Domain Controller
"dc1.contoso.com".
User is prompted for confirmation.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Add-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User
Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName
User -InheritanceType Descendents -Server dc1.contoso.com -Credential $Credential -Force
Adds a new ACE to ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB User
Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name
"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants" targeting Domain Controller
"dc1.contoso.com" with the specified credentials.
As the -Force parameter is specified, the user is not prompted for confirmation.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>Get-ADUser -Filter {department -like "Marketing"} | Add-ADObjectAce -IdentityReference "CONTOSO\\Marketing
Support Team" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName "Private-Information"
-InheritanceType All -WhatIf
Retrieves all users with a department value of "Marketing" and adds a new ACE to ACL for the Identity Reference
"CONTOSO\\Marketing Support Team" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type
with Name "Private-Information" and "InheritanceType" of "All".
As the -WhatIf parameter is specified the format of the new ACE is displayed, without being applied.
RELATED LINKS
SYNOPSIS
Adds a new Access Control Entry to an Access Control List defined on an Active Directory Object.
SYNTAX
Add-ADObjectAce -Identity <Object> [-Server <String>] -IdentityReference <String> -ActiveDirectoryRights
<String[]> [-ObjectTypeName <String>] [-InheritedObjectTypeName <String>] [-AccessControlType <String>]
[-InheritanceType <String>] [-Credential <PSCredential>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
Adds a new Access Control Entry (ACE) to an Access Control List (ACL) defined on an Active Directory Object.
PARAMETERS
-Identity <Object>
The Identity of the Active Directory Object in either distinguishedName or GUID format or by reference.
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Server <String>
The target Active Directory Server / Domain Controller.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReference <String>
The IdentityReference that will be defined on the ACE (DOMAIN\\USERNAME).
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ActiveDirectoryRights <String[]>
The Active Directory Rights that will be defined on the ACE.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ObjectTypeName <String>
The Object Type Name that will be defined on the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-InheritedObjectTypeName <String>
The Inherited Object Type Name that will be defined on the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AccessControlType <String>
The Access Control Type (Allow / Deny) that will be defined on the ACE.
Required? false
Position? named
Default value Allow
Accept pipeline input? false
Accept wildcard characters? false
-InheritanceType <String>
The Inheritance Type that will be defined on the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Credential to use.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
Ignore any should process warnings and apply the new Ace.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
The identity parameter of the CmdLet accepts either a distinguishedName or ObjectGUID or AD Objects. AD Objects
which are passed by reference must include either a distinguishedName or ObjectGUID property.
OUTPUTS
None unless -WhatIf parameter is used in which case a cActiveDirectorySecurity.ACE object is returned.
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Add-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User
Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName
User -InheritanceType Descendents -WhatIf
Adds a new ACE to ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB User
Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name
"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants".
As the -WhatIf parameter is specified the format of the new ACE is displayed, without being applied.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Add-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User
Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName
User -InheritanceType Descendents -Server dc1.contoso.com
Adds a new ACE to ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB User
Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name
"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants" targeting Domain Controller
"dc1.contoso.com".
User is prompted for confirmation.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Add-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User
Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName
User -InheritanceType Descendents -Server dc1.contoso.com -Credential $Credential -Force
Adds a new ACE to ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB User
Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name
"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants" targeting Domain Controller
"dc1.contoso.com" with the specified credentials.
As the -Force parameter is specified, the user is not prompted for confirmation.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>Get-ADUser -Filter {department -like "Marketing"} | Add-ADObjectAce -IdentityReference "CONTOSO\\Marketing
Support Team" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName "Private-Information"
-InheritanceType All -WhatIf
Retrieves all users with a department value of "Marketing" and adds a new ACE to ACL for the Identity Reference
"CONTOSO\\Marketing Support Team" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type
with Name "Private-Information" and "InheritanceType" of "All".
As the -WhatIf parameter is specified the format of the new ACE is displayed, without being applied.
RELATED LINKS