API Reference
Command
Set-ADXACL
Replaces explicit ACL entries on an Active Directory object with governance-capable execution options.
Examples
Example 1: Preview a full explicit ACL replacement using legacy entry objects
$entries = @(
[ADPlayground.Acl.AclEntry]::new('S-1-5-21-1000-1000-1000-1101', [ADPlayground.Acl.AclRights]::GenericRead, [System.Security.AccessControl.AccessControlType]::Allow, [ADPlayground.Acl.AclInheritance]::Descendents, $false),
[ADPlayground.Acl.AclEntry]::new('S-1-5-21-1000-1000-1000-2105', [ADPlayground.Acl.AclRights]::WriteProperty, [System.Security.AccessControl.AccessControlType]::Allow, [ADPlayground.Acl.AclInheritance]::Children, $false)
)
Set-ADXACL -ADObject 'OU=Workstations,OU=Managed,DC=contoso,DC=com' -Entries $entries -WhatIf
Example 2: Replace explicit ACEs with request objects and return the governed result
$requests = @(
[ADPlayground.Acl.AdxAclPermissionRequest]@{ Identity = 'CONTOSO\Helpdesk Tier1'; Rights = [ADPlayground.Acl.AclRights]::ReadProperty; AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow; Inheritance = [ADPlayground.Acl.AclInheritance]::Descendents },
[ADPlayground.Acl.AdxAclPermissionRequest]@{ Identity = 'CONTOSO\Tier1 Server Admins'; Rights = [ADPlayground.Acl.AclRights]::WriteProperty; AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow; Inheritance = [ADPlayground.Acl.AclInheritance]::Children }
)
Set-ADXACL -ADObject 'OU=Servers,OU=Managed,DC=contoso,DC=com' -Requests $requests -ReturnGovernanceResult
Common Parameters
This command supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters.
Syntax
Set-ADXACL -Security <ActiveDirectorySecurity> [-Entries <AclEntry[]>] [-AllowWrite] [-Apply] [-DryRun <bool>] [-GovernanceMode <string>] [-Intent <string>] [-Requests <AdxAclPermissionRequest[]>] [-ReturnGovernanceResult] [-WriteActorId <string>] [-WriteAuditCorrelationId <string>] [-WriteChangeReason <string>] [-WriteExecutionId <string>] [-WriteRollbackPlanId <string>] [-WriteRollbackProviderId <string>] [<CommonParameters>]Parameter set:
By SecurityParameters
- Security ActiveDirectorySecurity
- ActiveDirectorySecurity instance to read or modify.
- Entries AclEntry[]
- ACL entries to apply (legacy format).
- AllowWrite SwitchParameter
- Explicit write confirmation flag for mutating operations.
- Apply SwitchParameter
- Applies changes. Without this switch, the cmdlet runs in dry-run mode.
- DryRun bool
- Dry-run mode flag. Defaults to true; set to false (or use -Apply) to execute writes.
- GovernanceMode string
- Governance behavior mode. compatibility preserves legacy write defaults; enforced requires explicit governance flow.
- Intent string
- Execution intent (read_only or read_write). Default: read_only.
- Requests AdxAclPermissionRequest[]
- Permission requests to apply (SID/name-based format).
- ReturnGovernanceResult SwitchParameter
- Emits the full governed result instead of only the change set.
- WriteActorId string
- Write actor identifier.
- WriteAuditCorrelationId string
- Optional write audit correlation identifier.
- WriteChangeReason string
- Write change reason, ticket, or approval reference.
- WriteExecutionId string
- Write execution identifier for governance/audit correlation.
- WriteRollbackPlanId string
- Write rollback plan identifier.
- WriteRollbackProviderId string
- Optional write rollback provider identifier.
Outputs
ADPlayground.Acl.AclChangeSet
Set-ADXACL -Entry <DirectoryEntry> [-Entries <AclEntry[]>] [-AllowWrite] [-Apply] [-DryRun <bool>] [-GovernanceMode <string>] [-Intent <string>] [-Requests <AdxAclPermissionRequest[]>] [-ReturnGovernanceResult] [-WriteActorId <string>] [-WriteAuditCorrelationId <string>] [-WriteChangeReason <string>] [-WriteExecutionId <string>] [-WriteRollbackPlanId <string>] [-WriteRollbackProviderId <string>] [<CommonParameters>]Parameter set:
By EntryParameters
- Entry DirectoryEntry
- DirectoryEntry object to read or modify.
- Entries AclEntry[]
- ACL entries to apply (legacy format).
- AllowWrite SwitchParameter
- Explicit write confirmation flag for mutating operations.
- Apply SwitchParameter
- Applies changes. Without this switch, the cmdlet runs in dry-run mode.
- DryRun bool
- Dry-run mode flag. Defaults to true; set to false (or use -Apply) to execute writes.
- GovernanceMode string
- Governance behavior mode. compatibility preserves legacy write defaults; enforced requires explicit governance flow.
- Intent string
- Execution intent (read_only or read_write). Default: read_only.
- Requests AdxAclPermissionRequest[]
- Permission requests to apply (SID/name-based format).
- ReturnGovernanceResult SwitchParameter
- Emits the full governed result instead of only the change set.
- WriteActorId string
- Write actor identifier.
- WriteAuditCorrelationId string
- Optional write audit correlation identifier.
- WriteChangeReason string
- Write change reason, ticket, or approval reference.
- WriteExecutionId string
- Write execution identifier for governance/audit correlation.
- WriteRollbackPlanId string
- Write rollback plan identifier.
- WriteRollbackProviderId string
- Optional write rollback provider identifier.
Outputs
ADPlayground.Acl.AclChangeSet
Set-ADXACL -ADObject <string> [-Entries <AclEntry[]>] [-AllowWrite] [-Apply] [-DryRun <bool>] [-GovernanceMode <string>] [-Intent <string>] [-Requests <AdxAclPermissionRequest[]>] [-ReturnGovernanceResult] [-WriteActorId <string>] [-WriteAuditCorrelationId <string>] [-WriteChangeReason <string>] [-WriteExecutionId <string>] [-WriteRollbackPlanId <string>] [-WriteRollbackProviderId <string>] [<CommonParameters>]Parameter set:
By ADObjectParameters
- ADObject string
- Distinguished name/path of the object to read or modify.
- Entries AclEntry[]
- ACL entries to apply (legacy format).
- AllowWrite SwitchParameter
- Explicit write confirmation flag for mutating operations.
- Apply SwitchParameter
- Applies changes. Without this switch, the cmdlet runs in dry-run mode.
- DryRun bool
- Dry-run mode flag. Defaults to true; set to false (or use -Apply) to execute writes.
- GovernanceMode string
- Governance behavior mode. compatibility preserves legacy write defaults; enforced requires explicit governance flow.
- Intent string
- Execution intent (read_only or read_write). Default: read_only.
- Requests AdxAclPermissionRequest[]
- Permission requests to apply (SID/name-based format).
- ReturnGovernanceResult SwitchParameter
- Emits the full governed result instead of only the change set.
- WriteActorId string
- Write actor identifier.
- WriteAuditCorrelationId string
- Optional write audit correlation identifier.
- WriteChangeReason string
- Write change reason, ticket, or approval reference.
- WriteExecutionId string
- Write execution identifier for governance/audit correlation.
- WriteRollbackPlanId string
- Write rollback plan identifier.
- WriteRollbackProviderId string
- Optional write rollback provider identifier.
Outputs
ADPlayground.Acl.AclChangeSet