You have an enterprise certification authority (CA).
You create a global security group named Group1.
You need to provide members of Group1 with the ability to issue and manage certificates.
The solution must prevent the Group1 members from managing certificates requested by members of the
Domain Admins group.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
From the CA properties, modify the Policy Module settings.
B.
From the Certificate Templates console, modify the Security settings of the Administrator certificate
template.
C.
From the CA properties, modify the security settings.
D.
From the CA properties, modify the Enrollment Agents settings.
E.
From the CA properties, modify the Certificate Managers Settings.
F.
From the Certificate Templates console, modify the Security settings of the User certificate template.
Should be C and E
Why? I did not found an explanation for that
This is from Finkel:
By default, members of the following built-in Active Directory Domain Services groups can manage a CA:
Domain Admins
Enterprise Admins
Local Administrators
One of the first tasks you should perform is to establish additional security groups for the management of the CA. Once
that is complete you can delegate different CA management tasks to those groups, and by extension members of those
groups, instead of having to add users to the powerful groups from the preceding list.
To delegate permissions:
Step 1. Log on to a Windows Server Certificate Authority.
Step 2. Start Server Manager from either the Start Menu or the Taskbar.Step 3. Select Tools > Certification Authority.
Step 4. Right-click the node for the current CA and select Properties.
Step 5. Select the Security tab.
Step 6. The default groups are listed. To add an additional group (it must already exist in the directory), click Add.
Step 7. Use the standard directory browse dialog to find the group to add.
Step 8. In the box shown in Figure 12-13, select the permissions for the group as described in the following list.
Read: Users with this permission can launch the CA console and view the details but not perform any tasks.
Issue and Manage Certificates: Users with this permission can issue new certificates and revoke existing certificates.
Manage CA: Users with this permission can perform full CA management, including backup and recovery.
Request Certificates: Users with this permission can request a certificate from the CA. By default all authenticated users have this permission.
Step 9. Click OK
Answer should be: C,E
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732590(v%3dws.11)#assigning-roles
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753372(v%3dws.11)