< Back

Remove-ADObjectAce

Sun Jan 12, 2020 8:08 pm

NAME Remove-ADObjectAce



SYNOPSIS

Removes an Access Control Entry from an Access Control List defined on an Active Directory Object.





SYNTAX

Remove-ADObjectAce -Identity <Object> [-Server <String>] -IdentityReference <String> -ActiveDirectoryRights

<String[]> [-ObjectTypeName <String>] [-InheritedObjectTypeName <String>] [-AccessControlType <String>]

[-InheritanceType <String>] [-Credential <PSCredential>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]





DESCRIPTION

Removes an Access Control Entry (ACE) from an Access Control List (ACL) defined an Active Directory Object.





PARAMETERS

-Identity <Object>

The Identity of the Active Directory Object in either distinguishedName or GUID format or by reference.



Required? true

Position? named

Default value

Accept pipeline input? true (ByValue, ByPropertyName)

Accept wildcard characters? false



-Server <String>

The target Active Directory Server / Domain Controller.



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-IdentityReference <String>

The IdentityReference defined on the ACE (DOMAIN\\USERNAME) to be removed.



Required? true

Position? named

Default value

Accept pipeline input? true (ByPropertyName)

Accept wildcard characters? false



-ActiveDirectoryRights <String[]>

The Active Directory Rights defined on the ACE to be removed.



Required? true

Position? named

Default value

Accept pipeline input? true (ByPropertyName)

Accept wildcard characters? false



-ObjectTypeName <String>

The Object Type Name defined on the ACE to be removed.



Required? false

Position? named

Default value

Accept pipeline input? true (ByPropertyName)

Accept wildcard characters? false



-InheritedObjectTypeName <String>

The Inherited Object Type Name defined on the ACE to be removed.



Required? false

Position? named

Default value

Accept pipeline input? true (ByPropertyName)

Accept wildcard characters? false



-AccessControlType <String>

The Access Control Type (Allow / Deny) defined on the ACE to be removed.



Required? false

Position? named

Default value Allow

Accept pipeline input? true (ByPropertyName)

Accept wildcard characters? false



-InheritanceType <String>

The Inheritance Type defined on the ACE to be removed.



Required? false

Position? named

Default value

Accept pipeline input? true (ByPropertyName)

Accept wildcard characters? false



-Credential <PSCredential>

Credential to use.



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-Force [<SwitchParameter>]

Ignore any should process warnings and remove the matching Ace.



Required? false

Position? named

Default value False

Accept pipeline input? false

Accept wildcard characters? false



-WhatIf [<SwitchParameter>]



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-Confirm [<SwitchParameter>]



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,

ErrorAction, ErrorVariable, WarningAction, WarningVariable,

OutBuffer, PipelineVariable, and OutVariable. For more information, see

about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).



INPUTS

The identity parameter of the CmdLet accepts either a distinguishedName or ObjectGUID or AD Objects. AD Objects

which are passed by reference must include either a distinguishedName or ObjectGUID property.





OUTPUTS

None unless -WhatIf parameter is used in which case a cActiveDirectorySecurity.ACE object is returned.





-------------------------- EXAMPLE 1 --------------------------



PS C:\\>Remove-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User

Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName

User -InheritanceType Descendents -WhatIf



Removes the ACE from the ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference

"CONTOSO\\GB User Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with

Name "Description" and "InheritedObjectType" of Name "User" propagated to "Descendants".



As the -WhatIf parameter is specified the details of the existing ACE are displayed, without being removed.









-------------------------- EXAMPLE 2 --------------------------



PS C:\\>Remove-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User

Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName

User -InheritanceType Descendents -Server dc1.contoso.com



Remove the ACE from the ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference "CONTOSO\\GB

User Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with Name

"Description" and "InheritedObjectType" of Name "User" propagated to "Descendants" targeting Domain Controller

"dc1.contoso.com".



User is prompted for confirmation.









-------------------------- EXAMPLE 3 --------------------------



PS C:\\>Remove-ADObjectAce -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User

Management" -ActiveDirectoryRights ReadProperty,WriteProperty -ObjectTypeName Description -InheritedObjectTypeName

User -InheritanceType Descendents -Server dc1.contoso.com -Credential $Credential -Force



Removes the ACE from the ACL on AD object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference

"CONTOSO\\GB User Management" with Active Directory Rights "ReadProperty", "WriteProperty" for the Object Type with

Name "Description" and "InheritedObjectType" of Name "User" propagated to "Descendants" targeting Domain

Controller "dc1.contoso.com" with the specified credentials.



As the -Force parameter is specified, the user is not prompted for confirmation.









-------------------------- EXAMPLE 4 --------------------------



PS C:\\>Get-ADObjectAcl -Identity "OU=Users,OU=GB,DC=contoso,DC=com" -IdentityReference "CONTOSO\\GB User

Management" | Remove-ADObjectAce -Force



Removes all matching ACEs from ACL on object "OU=Users,OU=GB,DC=contoso,DC=com" for the Identity Reference

"CONTOSO\\GB User Management".



As the -Force parameter is specified, the user is not prompted for confirmation.











RELATED LINKS