Applies to: Exchange Server 2007
Topic Last Modified: 2007-06-11
Use the Remove-ADPermission cmdlet to remove permissions from an Active Directory directory server object.
Syntax
Remove-ADPermission -Identity <ADRawEntryIdParameter> -User <SecurityPrincipalIdParameter> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>]
Remove-ADPermission [-Identity <ADRawEntryIdParameter>] -Instance <ADAcePresentationObject> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-User <SecurityPrincipalIdParameter>]
Remove-ADPermission -Identity <ADRawEntryIdParameter> [-DomainController <Fqdn>]
Detailed Description
The Remove-ADPermission cmdlet removes permissions from an Active Directory object.
To run the Remove-ADPermission cmdlet, the account you use must be delegated the following:
-
Exchange Recipient Administrator role
-
Account Operator role for the applicable Active Directory containers
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
For more information about extended rights, see Permissions.
Parameters
|
Parameter
|
Required
|
Type
|
Description
|
|---|
|
Identity
|
Required
|
Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter
|
The Identity parameter specifies the identity of the object that is getting permissions removed.
|
|
Instance
|
Required
|
Microsoft.Exchange.Management.RecipientTasks.ADAcePresentationObject
|
The Instance parameter enables you to pass an entire object to the command to be processed. It is mainly used in scripts where an entire object must be passed to the command.
|
|
User
|
Required
|
Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter
|
The User parameter specifies the user object that will have permissions removed.
|
|
AccessRights
|
Optional
|
System.DirectoryServices.ActiveDirectoryRights[]
|
The AccessRights parameter specifies the rights needed to perform the operation. Valid values include:
-
CreateChild
-
DeleteChild
-
ListChildren
-
Self
-
ReadProperty
-
WriteProperty
-
DeleteTree
-
ListObject
-
ExtendedRight
-
Delete
-
ReadControl
-
GenericExecute
-
GenericWrite
-
GenericRead
-
WriteDacl
-
WriteOwner
-
GenericAll
-
Synchronize
-
AccessSystemSecurity
|
|
ChildObjectTypes
|
Optional
|
Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]
|
The ChildObjectTypes parameter specifies what type of object the permission is with.
|
|
Deny
|
Optional
|
System.Management.Automation.SwitchParameter
|
The Deny parameter denies permissions to the user on the Active Directory object.
|
|
DomainController
|
Optional
|
Microsoft.Exchange.Data.Fqdn
|
To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command.
|
|
ExtendedRights
|
Optional
|
Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[]
|
The ExtendedRights parameter specifies the extended rights needed to perform the operation. Valid values include:
-
Send-As
-
Receive-As
-
View Information Store status
|
|
InheritanceType
|
Optional
|
System.DirectoryServices.ActiveDirectorySecurityInheritance
|
The InheritanceType parameter specifies whether permissions are inherited.
|
|
InheritedObjectType
|
Optional
|
Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter
|
The InheritedObjectType specifies what kind of object inherits this access control entry (ACE).
|
|
Properties
|
Optional
|
Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]
|
The Properties parameter specifies what properties the object contains.
|
Input Types
Return Types
Errors
Exceptions
Example
This example will remove send as permissions from user Test1.
Remove-ADPermission -Identity Administrator -user Test1 -ExtendedRights "send as"