Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role
installed and is configured to support key archival and recovery.
You create a new Active Directory group named Group1.
You need to ensure that the members of Group1 can request a Key Recovery Agent certificate.The solution must minimize the permissions assigned to Group1.
Which two permissions should you assign to Group1? (Each correct answer presents part of the solution.
Choose two.)
A.
Read
B.
Auto enroll
C.
Write
D.
Enroll
E.
Full control
Explanation:
See step 6 below.
To configure the Key Recovery Agent certificate template
1. Open the Certificate Templates snap-in.
2. In the console tree, right-click the Key Recovery Agent certificate template.
3. Click Duplicate Template.
4. In Template, type a new template display name, and then modify any other optional properties as
needed.
5. On the Security tab, click Add, type the name of the users you want to issue the key recovery agent
certificates to, and then click OK.
6. Under Group or user names, select the user names that you just added. Under Permissions, select
the Read and Enroll check boxes, and then click OK.
Identify a Key Recovery Agent