Modify the Default Security Permissions for Certificate Templates (Optional)
For enterprise CAs, Enroll permissions are controlled by ACLs for each certificate template. An enterprise CA grants certificate requests only for user accounts or computer accounts with Enroll permissions. The ACLs for certificate template are preconfigured to enable various security groups to enroll for certificate types.
By default, members of the Domain Admins security group for the domain where the CA is installed are granted Enroll permissions for all certificate types. Members of the Domain Users security group for the domain where the CA is installed are granted Enroll permissions for the following certificate types: Basic EFS, Authenticated Session, Exchange User, Exchange Signature Only, User, and User Signature Only. Members of the Enterprise Admins security group are granted Enroll permissions for all certificate types except for the Basic EFS, Authenticated Session, Exchange User, Exchange Signature Only, User, and User Signature Only.
If you want to enable other security groups to enroll for certificates, you must edit the ACLs for the certificate templates (for the domain where the CA is installed) to add the security group and assign Enroll permissions to them. In addition, if you want security groups in another domain to be able to enroll for certificates from an enterprise CA, you must add the other domain's security group to the ACLs of the certificate templates for the domain where the CA is installed.
You can use the Active Directory Sites and Services console (an MMC snap-in) to modify the ACLs for certificate templates. Before the Certificate Templates container appears, you must point to the Active Directory Sites and Services console and then click View and Show Services Node . For more information about how to use the Active Directory Sites and Services console, see Active Directory Help.
To show the Certificate Templates container, expand the Services container and the Public Key Services container, as shown in Figure 16.11.
Figure 16.11 Certificate Templates Container
To edit ACLs for a certificate template, click Certificate Templates . Then, right-click the certificate template in the details pane, and click Properties . When the Certification Authorities Properties dialog box appears, click Security and modify the security permissions as needed. For more information about how to edit ACLs for certificate templates, see Certificate Services Help.
For example, to ensure that only a few trusted individuals can obtain an Enrollment Agent certificate, you might modify the ACLs for the Enrollment Agent certificate template to delete the default security groups and add a special security group with Enroll permissions. You might also modify the ACLs for the Code Signing certificate template so that only certain developers who are members of a special code signers security group can enroll for code signing certificates.
When you change the ACLs for certificate templates, the changes might take a few minutes to replicate to other domain controllers.