Applies to: Exchange Server 2007
Topic Last Modified: 2007-06-11

Use the Remove-ADPermission cmdlet to remove permissions from an Active Directory directory server object.

Syntax


`Remove-ADPermission -Identity <ADRawEntryIdParameter> -User <SecurityPrincipalIdParameter> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None \| All \| Descendents \| SelfAndChildren \| Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>]`

Remove-ADPermission -Identity
<ADRawEntryIdParameter> -User
<SecurityPrincipalIdParameter> [-AccessRights
<ActiveDirectoryRights[]>] [-ChildObjectTypes
<ADSchemaObjectIdParameter[]>] [-Deny
<SwitchParameter>] [-DomainController <Fqdn>]
[-ExtendedRights <ExtendedRightIdParameter[]>]
[-InheritanceType <None | All | Descendents | SelfAndChildren |
Children>] [-InheritedObjectType
<ADSchemaObjectIdParameter>] [-Properties
<ADSchemaObjectIdParameter[]>]


`Remove-ADPermission [-Identity <ADRawEntryIdParameter>] -Instance <ADAcePresentationObject> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None \| All \| Descendents \| SelfAndChildren \| Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-User <SecurityPrincipalIdParameter>]`

Remove-ADPermission [-Identity
<ADRawEntryIdParameter>] -Instance
<ADAcePresentationObject> [-AccessRights
<ActiveDirectoryRights[]>] [-ChildObjectTypes
<ADSchemaObjectIdParameter[]>] [-Deny
<SwitchParameter>] [-DomainController <Fqdn>]
[-ExtendedRights <ExtendedRightIdParameter[]>]
[-InheritanceType <None | All | Descendents | SelfAndChildren |
Children>] [-InheritedObjectType
<ADSchemaObjectIdParameter>] [-Properties
<ADSchemaObjectIdParameter[]>] [-User
<SecurityPrincipalIdParameter>]


`Remove-ADPermission -Identity <ADRawEntryIdParameter> [-DomainController <Fqdn>]`

Parameters

Parameter	Required	Type	Description
Identity	Required	Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter	The Identity parameter specifies the identity of the object that is getting permissions removed.
Instance	Required	Microsoft.Exchange.Management.RecipientTasks.ADAcePresentationObject	The Instance parameter enables you to pass an entire object to the command to be processed. It is mainly used in scripts where an entire object must be passed to the command.
User	Required	Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter	The User parameter specifies the user object that will have permissions removed.
AccessRights	Optional	System.DirectoryServices.ActiveDirectoryRights[]	The AccessRights parameter specifies the rights needed to perform the operation. Valid values include: CreateChild DeleteChild ListChildren Self ReadProperty WriteProperty DeleteTree ListObject ExtendedRight Delete ReadControl GenericExecute GenericWrite GenericRead WriteDacl WriteOwner GenericAll Synchronize AccessSystemSecurity
ChildObjectTypes	Optional	Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]	The ChildObjectTypes parameter specifies what type of object the permission is with.
Deny	Optional	System.Management.Automation.SwitchParameter	The Deny parameter denies permissions to the user on the Active Directory object.
DomainController	Optional	Microsoft.Exchange.Data.Fqdn	To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command.
ExtendedRights	Optional	Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[]	The ExtendedRights parameter specifies the extended rights needed to perform the operation. Valid values include: Send-As Receive-As View Information Store status
InheritanceType	Optional	System.DirectoryServices.ActiveDirectorySecurityInheritance	The InheritanceType parameter specifies whether permissions are inherited.
InheritedObjectType	Optional	Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter	The InheritedObjectType specifies what kind of object inherits this access control entry (ACE).
Properties	Optional	Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]	The Properties parameter specifies what properties the object contains.

Detailed Description

The Remove-ADPermission cmdlet removes permissions from an Active Directory object.

To run the Remove-ADPermission cmdlet, the account you use must be delegated the following:

Exchange Recipient Administrator role
Account Operator role for the applicable Active Directory containers

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

For more information about extended rights, see Permissions.

Input Types

Return Types

Errors

Error	Description

Exceptions

Exceptions	Description

Example

This example will remove send as permissions from user Test1.

	Copy Code
Remove-ADPermission -Identity Administrator -user Test1 -ExtendedRights "send as"