This is the built-in help made by Microsoft for the command 'Set-ADCentralAccessRule', in PowerShell version 5 - as retrieved from
Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Modifies a central access rule in Active Directory.
Set-ADCentralAccessRule [-Identity] <ADCentralAccessRule> [-Add <Hashtable>] [-AuthType {Negotiate | Basic}] [-Clear <String[]>] [-Credential <PSCredential>] [-CurrentAcl
<String>] [-Description <String>] [-PassThru] [-ProposedAcl <String>] [-ProtectedFromAccidentalDeletion <Boolean>] [-Remove <Hashtable>] [-Replace <Hashtable>]
[-ResourceCondition <String>] [-Server <String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-ADCentralAccessRule [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-PassThru] [-Server <String>] -Instance <ADCentralAccessRule> [-Confirm] [-WhatIf]
[<CommonParameters>]
The Set-ADCentralAccessRule cmdlet can be used to modify a central access rule in a central access policy that is stored in Active Directory.
<
Online Version: http://go.microsoft.com/fwlink/p/?linkid=291110
Get-ADCentralAccessRule
New-ADCentralAccessRule
Remove-ADCentralAccessRule
<
-------------------------- EXAMPLE 1 --------------------------
PS C:\>$departmentResourceProperty = Get-ADResourceProperty -Identity Department
PS C:\> $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})"
PS C:\> Set-ADCentralAccessRule -Identity "Finance Documents Rule" -ResourceCondition $resourceCondition
This example sets the central access rule named Finance Documents Rule with a new resource condition. The resource condition scopes the resources to ones containing the
value Finance in their Department resource property.
-------------------------- EXAMPLE 2 --------------------------
PS C:\>$countryClaimType = Get-ADClaimType -Identity Country
PS C:\> $departmentClaimType = Get-ADClaimType -Identity Department
PS C:\> $countryResourceProperty = Get-ADResourceProperty -Identity Country
PS C:\> $departmentResourceProperty = Get-ADResourceProperty -Identity Department
PS C:\> $financeException = Get-ADGroup -Identity FinanceException
PS C:\> $financeAdmin = Get-ADGroup -Identity FinanceAdmin
PS C:\> $resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})"
PS C:\> $currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;" + $financeException.SID.Value + ")(A;;0x1301bf;;;" + $financeAdmin.SID.Value +
")(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER." + $countryClaimType.Name + " Any_of @RESOURCE." + $countryResourceProperty.Name + ") && (@USER." + $departmentClaimType.Name + "
Any_of @RESOURCE." + $departmentResourceProperty.Name + ")))"
PS C:\> Set-ADCentralAccessRule -Identity "Finance Documents Rule" -ResourceCondition $resourceCondition -CurrentAcl $currentAcl
This example sets the central access rule named Finance Documents Rule with a new resource condition and new permissions.
The new rule specifies that documents should only be read by members of the Finance department. Members of the Finance department should only be able to access documents in
their own country. Only Finance Administrators should have write access. The rule allows an exception for members of the FinanceException group. This group will have read
access.
Targeting:
-- Resource.Department Contains Finance
-- Allow Full control User.MemberOf(FinanceAdmin)
Access rules:
-- Allow Read User.Country=Resource.Country AND User.department = Resource.Department
-- Allow Full control User.MemberOf(FinanceAdmin)
-- Allow Read User.Country=Resource.Country AND User.department = Resource.Department
-- Allow Read User.MemberOf(FinanceException)
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Get-ADCentralAccessRule -Identity "Finance Documents Rule" | Set-ADCentralAccessRule -Description "For finance documents."
This command gets the central access rule named Finance Documents Rule, and set the description to For finance documents.