Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Active Directory Certificate Services server role installed and is configured to support key
archival and recovery.
You create a new Active Directory group named Group1.
You need to ensure that the members of Group1 can request a Key Recovery Agent
certificate. The solution must minimize the permissions assigned to Group1.
Which two permissions should you assign to Group1? (Each correct answer presents part of
the solution. Choose two.)
A.
Read
B.
Auto enroll
C.
Write
D.
Enroll
E.
Full control
Explanation:
* In Template, type a new template display name, and then modify any other optional
properties as needed.
On the Security tab, click Add, type the name of the users you want to issue the key
recovery agent certificates to, and then click OK.
Under Group or user names, select the user names that you just added. Under Permissions,
select the Read and Enroll check boxes, and then click OK.
A and D.
https://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
Permission Design
Certificate templates are published to the Configuration naming context, which is stored on every domain controller in the forest in the path: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
Each certificate template exists as an object in the Configuration naming context and has an associated discretionary access control list (DACL), which defines the specific operations a security principal can perform with the certificate.
Use the following recommendations for permissions assignments:
Assign permissions only to global groups or to universal groups. It is not recommended to assign permissions to domain local groups. Domain local groups are only recognized in the domain where they exist, and assigning permissions to them can result in inconsistent application of permissions. You should not assign permissions directly to an individual user or computer account.
To enable autoenrollment, a user or computer must belong to domain groups that are granted Read, Enroll, and Autoenroll permissions.
To enable enrollment through the Certificates snap-in, Web-based enrollment, or automatic renewal, assign Read and Enroll permissions to either domain or universal groups.
For certificate renewal, a user or computer must belong to a domain security group with Read and Enroll permissions. This is true whether the certificate is manually renewed or the renewal is implemented by using autoenrollment.
Restrict Write and Full Control permissions to CA managers to ensure that the templates are not improperly configured.
read and Enroll permissions required.
Full Control. This allows a security principal to modify all attributes of a certificate template, including the permissions for the certificate template.
• Read. This allows a security principal to see the certificate template when enrolling for certificates. It is required for a security principal to enroll or autoenroll a certificate; it is required by the certificate server to find the certificate templates in AD DS.
• Write. This allows a security principal to modify the attributes of a certificate template, including the permissions assigned to the certificate template.
• Enroll. This allows a security principal to enroll for a certificate based on the certificate template. To enroll for a certificate, the security principal must also have Read permission for the certificate template.
• Autoenroll. This allows a security principal to receive a certificate through the autoenrollment process. Autoenrollment permissions require that the user has both Read and Enroll permissions in addition to the Autoenroll permission.
https://technet.microsoft.com/en-us/library/cc770588.aspx
Provided answer is correct. A & D
https://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
This link gave the answer. A and D.