Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2007-06-28

Use the Remove-ADPermission cmdlet to remove permissions from an Active Directory directory server object.

Syntax

Remove-ADPermission -Identity <ADRawEntryIdParameter> -User <SecurityPrincipalIdParameter> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Confirm [<SwitchParameter>]] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-WhatIf [<SwitchParameter>]]
Remove-ADPermission [-Identity <ADRawEntryIdParameter>] -Instance <ADAcePresentationObject> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Confirm [<SwitchParameter>]] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-User <SecurityPrincipalIdParameter>] [-WhatIf [<SwitchParameter>]]
Remove-ADPermission -Identity <ADRawEntryIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-WhatIf [<SwitchParameter>]]

Parameters

Parameter Required Type Description

Identity

Required

Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter

The Identity parameter specifies the identity of the object that is getting permissions removed.

Instance

Required

Microsoft.Exchange.Management.RecipientTasks.ADAcePresentationObject

The Instance parameter enables you to pass an entire object to the command to be processed. It is mainly used in scripts where an entire object must be passed to the command.

User

Required

Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter

The User parameter specifies the user object that will have permissions removed.

AccessRights

Optional

System.DirectoryServices.ActiveDirectoryRights[]

The AccessRights parameter specifies the rights needed to perform the operation. Valid values include:

  • CreateChild

  • DeleteChild

  • ListChildren

  • Self

  • ReadProperty

  • WriteProperty

  • DeleteTree

  • ListObject

  • ExtendedRight

  • Delete

  • ReadControl

  • GenericExecute

  • GenericWrite

  • GenericRead

  • WriteDacl

  • WriteOwner

  • GenericAll

  • Synchronize

  • AccessSystemSecurity

ChildObjectTypes

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]

The ChildObjectTypes parameter specifies what type of object the permission is with.

Deny

Optional

System.Management.Automation.SwitchParameter

The Deny parameter denies permissions to the user on the Active Directory object.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command.

ExtendedRights

Optional

Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[]

The ExtendedRights parameter specifies the extended rights needed to perform the operation. Valid values include:

  • Send-As

  • Receive-As

  • View Information Store status

InheritanceType

Optional

System.DirectoryServices.ActiveDirectorySecurityInheritance

The InheritanceType parameter specifies whether permissions are inherited.

InheritedObjectType

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter

The InheritedObjectType specifies what kind of object inherits this access control entry (ACE).

Properties

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]

The Properties parameter specifies what properties the object contains.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm parameter causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You do not have to specify a value with the Confirm parameter.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf parameter instructs the command to simulate the actions that it would take on the object. By using the WhatIf parameter, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf parameter.

Detailed Description

The Remove-ADPermission cmdlet removes permissions from an Active Directory object.

To run the Remove-ADPermission cmdlet, the account you use must be delegated the following:

  • Exchange Recipient Administrator role

  • Account Operator role for the applicable Active Directory containers 

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

For more information about extended rights, see Permissions.

Input Types

Return Types

Errors

Error Description

Exceptions

Exceptions Description

Example

This example will remove send as permissions from user Test1.

Copy Code
Remove-ADPermission -Identity Administrator -user Test1 -ExtendedRights "send as"