When launching the CA console (certsrv.msc), I can right-click on my CA, select Properties and then I can modify the ACL of my CA in the Security tab. When I modify it, the changes are applied to the AD object at:
CN=MY-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com
When I view it in the ADSI editor, the modified ACL entries are not inherited, but directly applied (as expected). But when I change the ACL of this object programmatically, e. g. by:
Import-Module ActiveDirectory
$path = 'AD:CN=MY-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com'
$acl = Get-Acl -Path $path
$acl.AddAccessRule(...)
Set-Acl -Path $path -AclObject $acl
Then I can see those changes in the ADSI editor, but I cannot see those changes, when I view the ACL of my CA via the CA console.
So, am I doing something wrong? Do I have to modify other objects programmatically as well?
What I tried:
- After the change, I forced the AD to sync with:
repadmin /syncall /Aed - I restarted the CA service
certsvc
But it does not seem to be a "sync" problem…
Best Answer
These ACLs are somewhat different. The ACL on AD object affects only AD entry and they are not propagated down to CA.
The ACL you see in CA Management console, are stored in CA configuration, in registry.
I'm not sure if there is an easy way to edit permissions on CA using PowerShell natively (without 3rd party tools). However, I would recommend to use the PowerShell PKI module to simplify the task. The module contains several ACL-related commands:
p.s. I'm the author of this PSPKI module
Every command has built-in and online help with useful examples on how to use each command.