ADCS (PKI) - Cert Services DCOM Access Group membership

Mike Bruno 136 Reputation points
2020-02-20T16:57:09.467+00:00

We are having issues with an NDES service account not being able to connect to the CA over DCOM (RPC Server Unavailable). The behavior is as follows:

  • If We add the service ID explicitly to the Certificate Services DCOM Access local group on the CA server, the connection works
  • If we add [DOMAIN]\Domain Users to the group, the connection does not work.
  • If we add Authenticated Users to the group, the connection works.

The Certificate Services DCOM Access local group is controlled by a tool that mimics group policy, but is not an actual GPO. The tool can only resolve domain accounts and groups, so Authenticated Users cant be enforced.

Is there any good reason that [DOMAIN]\Domain Users isnt working for us? My understanding is that the group is dynamic, and any account that is a member of [DOMAIN] is inherently a member of [DOMAIN]\Domain Users. We d really like to avoid having to add individual accounts to this local group as there are many and ever-changing.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,456 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Frank Hu MSFT 81 Reputation points
    2020-02-22T03:41:26.74+00:00

    It sounds like you're referring to an on-prem active directory issue.
    Can you provide the docs that you're trying to follow?

    I suggest posting your question against the active directory forums here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverds

    As these forums are meant for Azure AD related issues.

    More information on the Cert SErvices DCOM access group can be found here : https://morgansimonsen.com/2012/01/24/an-overview-of-groups-used-by-active-directory-certificate-services/

    0 comments