Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Active Directory Certificate Services server role installed and is configured as an enterprise
certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be
used for the following purposes:
Email security
Client authentication
Encrypting File System (EFS)
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
From a Group Policy, configure the Certificate Services Client – Auto-Enrollment settings.
B.
From a Group Policy, configure the Certificate Services Client – Certificate Enrollment
Policy settings.
C.
Modify the properties of the User certificate template, and then publish the template.
D.
Duplicate the User certificate template, and then publish the template.
E.
From a Group Policy, configure the Automatic Certificate Request Settings settings.
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown below:However a duplicated template from users has the ability to autoenroll:
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.
http://technet.microsoft.com/en-us/library/dd851772.aspx
Answer = A, D
http://technet.microsoft.com/en-us/library/cc731522.aspx
http://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
Although duplicating templates from existing templates is considered best practice, it’s not part of the solution in this case. If it was, it would have been enough to just issue the existing “User” template unaltered. However, to enable auto enrollment, it’s necessary to modify the template first, more exactly granting users the Autoenroll right.
Answer = A, C
I think it may be A and D, if you go into templates manager notice that you cannot give autoenroll permissions to a template without duplicating it. You do not get the option within the security tab.
ignore me you are right! The template I looked on had minimum support OS of windows 2000 however when I check one with windows 2003 it gives me the option.
Sorry changed my mind again, on certain certificates you can change the autoenroll permissions but on the user one it does not allow this
A and D final offer
Where do you see anything in this question about auto enrollment?
it just makes sense because you do not have to option to configure the old school enrollment. It’s part of answer E but this is only a computer-based setting for computer certificate usage.
Further you cannot change the options of that default user certificate!
You have to copy it and configure auto enrollment.
My vote goes for A+D
Jesus Joe, every question you add false information and change your answer back and forth!
Just a thought but dont we need to modify the template after duplicating it? Therefore answer would be C + D? I am going off what some of the technet links are suggesting.
Based on the fact that my dump says A + D and the fact that most comments suggest that its A + D would suggest that i am wrong! I am far from an expert but reading the technet articles suggests C + D to me. Can someone prove me wrong please? All i want is the correct understanding.