Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2007-06-28
Use the Remove-ADPermission cmdlet to remove permissions from an Active Directory directory server object.
Syntax
Remove-ADPermission -Identity
<ADRawEntryIdParameter> -User
<SecurityPrincipalIdParameter> [-AccessRights
<ActiveDirectoryRights[]>] [-ChildObjectTypes
<ADSchemaObjectIdParameter[]>] [-Confirm
[<SwitchParameter>]] [-Deny <SwitchParameter>]
[-DomainController <Fqdn>] [-ExtendedRights
<ExtendedRightIdParameter[]>] [-InheritanceType <None |
All | Descendents | SelfAndChildren | Children>]
[-InheritedObjectType <ADSchemaObjectIdParameter>]
[-Properties <ADSchemaObjectIdParameter[]>] [-WhatIf
[<SwitchParameter>]]
|
Remove-ADPermission [-Identity
<ADRawEntryIdParameter>] -Instance
<ADAcePresentationObject> [-AccessRights
<ActiveDirectoryRights[]>] [-ChildObjectTypes
<ADSchemaObjectIdParameter[]>] [-Confirm
[<SwitchParameter>]] [-Deny <SwitchParameter>]
[-DomainController <Fqdn>] [-ExtendedRights
<ExtendedRightIdParameter[]>] [-InheritanceType <None |
All | Descendents | SelfAndChildren | Children>]
[-InheritedObjectType <ADSchemaObjectIdParameter>]
[-Properties <ADSchemaObjectIdParameter[]>] [-User
<SecurityPrincipalIdParameter>] [-WhatIf
[<SwitchParameter>]]
|
Remove-ADPermission -Identity
<ADRawEntryIdParameter> [-Confirm [<SwitchParameter>]]
[-DomainController <Fqdn>] [-WhatIf
[<SwitchParameter>]]
|
Parameters
Parameter | Required | Type | Description |
---|---|---|---|
Identity |
Required |
Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter |
The Identity parameter specifies the identity of the object that is getting permissions removed. |
Instance |
Required |
Microsoft.Exchange.Management.RecipientTasks.ADAcePresentationObject |
The Instance parameter enables you to pass an entire object to the command to be processed. It is mainly used in scripts where an entire object must be passed to the command. |
User |
Required |
Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter |
The User parameter specifies the user object that will have permissions removed. |
AccessRights |
Optional |
System.DirectoryServices.ActiveDirectoryRights[] |
The AccessRights parameter specifies the rights needed to perform the operation. Valid values include:
|
ChildObjectTypes |
Optional |
Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[] |
The ChildObjectTypes parameter specifies what type of object the permission is with. |
Deny |
Optional |
System.Management.Automation.SwitchParameter |
The Deny parameter denies permissions to the user on the Active Directory object. |
DomainController |
Optional |
Microsoft.Exchange.Data.Fqdn |
To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command. |
ExtendedRights |
Optional |
Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[] |
The ExtendedRights parameter specifies the extended rights needed to perform the operation. Valid values include:
|
InheritanceType |
Optional |
System.DirectoryServices.ActiveDirectorySecurityInheritance |
The InheritanceType parameter specifies whether permissions are inherited. |
InheritedObjectType |
Optional |
Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter |
The InheritedObjectType specifies what kind of object inherits this access control entry (ACE). |
Properties |
Optional |
Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[] |
The Properties parameter specifies what properties the object contains. |
Confirm |
Optional |
System.Management.Automation.SwitchParameter |
The Confirm parameter causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You do not have to specify a value with the Confirm parameter. |
WhatIf |
Optional |
System.Management.Automation.SwitchParameter |
The WhatIf parameter instructs the command to simulate the actions that it would take on the object. By using the WhatIf parameter, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf parameter. |
Detailed Description
The Remove-ADPermission cmdlet removes permissions from an Active Directory object.
To run the Remove-ADPermission cmdlet, the account you use must be delegated the following:
- Exchange Recipient Administrator role
- Account Operator role for the applicable Active Directory
containers
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
For more information about extended rights, see Permissions.
Input Types
Return Types
Errors
Error | Description |
---|---|
Exceptions
Exceptions | Description |
---|---|
Example
This example will remove send as permissions from user Test1.
Copy Code | |
---|---|
Remove-ADPermission -Identity Administrator -user Test1 -ExtendedRights "send as" |