We are having issues with an NDES service account not being able to connect to the CA over DCOM (RPC Server Unavailable). The behavior is as follows:
If We add the service ID explicitly to the Certificate Services DCOM Access local group on the CA server, the connection works
If we add [DOMAIN]\Domain Users to the group, the connection does not work.
If we add Authenticated Users to the group, the connection works.
The Certificate Services DCOM Access local group is controlled by a tool that mimics group policy, but is not an actual GPO. The tool can only resolve domain accounts and groups, so Authenticated Users cant be enforced.
Is there any good reason that [DOMAIN]\Domain Users isnt working for us? My understanding is that the group is dynamic, and any account that is a member of [DOMAIN] is inherently a member of [DOMAIN]\Domain Users. We d really like to avoid having to add individual accounts to this local group as there are many and ever-changing.