PowerShell Logo Small

Set-ADCentralAccessRule



This is the built-in help made by Microsoft for the command 'Set-ADCentralAccessRule', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Modifies a central access rule in Active Directory.

SYNTAX


Set-ADCentralAccessRule [-Identity] <ADCentralAccessRule> [-Add <Hashtable>] [-AuthType {Negotiate | Basic}] [-Clear <String[]>] [-Credential <PSCredential>] [-CurrentAcl
<String>] [-Description <String>] [-PassThru] [-ProposedAcl <String>] [-ProtectedFromAccidentalDeletion <Boolean>] [-Remove <Hashtable>] [-Replace <Hashtable>]
[-ResourceCondition <String>] [-Server <String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-ADCentralAccessRule [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-PassThru] [-Server <String>] -Instance <ADCentralAccessRule> [-Confirm] [-WhatIf]
[<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Set-ADCentralAccessRule cmdlet can be used to modify a central access rule in a central access policy that is stored in Active Directory.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=291110
Get-ADCentralAccessRule
New-ADCentralAccessRule
Remove-ADCentralAccessRule

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

PS C:\>$departmentResourceProperty = Get-ADResourceProperty -Identity Department
PS C:\> $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})"
PS C:\> Set-ADCentralAccessRule -Identity "Finance Documents Rule" -ResourceCondition $resourceCondition



This example sets the central access rule named Finance Documents Rule with a new resource condition. The resource condition scopes the resources to ones containing the
value Finance in their Department resource property.




-------------------------- EXAMPLE 2 --------------------------

PS C:\>$countryClaimType = Get-ADClaimType -Identity Country
PS C:\> $departmentClaimType = Get-ADClaimType -Identity Department
PS C:\> $countryResourceProperty = Get-ADResourceProperty -Identity Country
PS C:\> $departmentResourceProperty = Get-ADResourceProperty -Identity Department
PS C:\> $financeException = Get-ADGroup -Identity FinanceException
PS C:\> $financeAdmin = Get-ADGroup -Identity FinanceAdmin
PS C:\> $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})"
PS C:\> $currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;" + $financeException.SID.Value + ")(A;;0x1301bf;;;" + $financeAdmin.SID.Value +
")(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER." + $countryClaimType.Name + " Any_of @RESOURCE." + $countryResourceProperty.Name + ") && (@USER." + $departmentClaimType.Name + "
Any_of @RESOURCE." + $departmentResourceProperty.Name + ")))"
PS C:\> Set-ADCentralAccessRule -Identity "Finance Documents Rule" -ResourceCondition $resourceCondition -CurrentAcl $currentAcl



This example sets the central access rule named Finance Documents Rule with a new resource condition and new permissions.

The new rule specifies that documents should only be read by members of the Finance department. Members of the Finance department should only be able to access documents in
their own country. Only Finance Administrators should have write access. The rule allows an exception for members of the FinanceException group. This group will have read
access.

Targeting:

-- Resource.Department Contains Finance
-- Allow Full control User.MemberOf(FinanceAdmin)

Access rules:

-- Allow Read User.Country=Resource.Country AND User.department = Resource.Department
-- Allow Full control User.MemberOf(FinanceAdmin)
-- Allow Read User.Country=Resource.Country AND User.department = Resource.Department
-- Allow Read User.MemberOf(FinanceException)




-------------------------- EXAMPLE 3 --------------------------

PS C:\>Get-ADCentralAccessRule -Identity "Finance Documents Rule" | Set-ADCentralAccessRule -Description "For finance documents."



This command gets the central access rule named Finance Documents Rule, and set the description to For finance documents.