The ABC.com network consists of a single Active Directory domain named ABC.com. All
computers on the ABC.com network are members of the ABC.com domain.
You install a new server named ABC-CA1 and configure it as a Certification Authority for the
ABC.com domain.
How would you enable an Active Directory global group named CA-Admins to issue, revoke and
approve certificates without assigning more permissions than necessary?
A.
Make the CA-Admins group also members of the Domain Admins group in the domain.
B.
Make the CA-Admins group also members of the local Administrators group on ABC-CA1.
C.
Grant the CA-Admins group Full Control permission to the Certificated Template container in
the Active Directory.
D.
Make the CA-Admins group members of the Cert Publishers group in Active Directory.
E.
Grant the Certificate Managers role to the CA-Admins group.
Explanation:
To be able to issue, approve and revoke certificates, the Certificate Administrators
group needs to be assigned the role of Certificate Manager. The Certificate Manager approves
certificate enrollment and revocation requests. This is a CA role, and is sometimes referred to as
CA Officer.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp.
11-4 to 11-8.
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 890