Your network contains an Active Directory domain. The domain contains an enterprise
certification authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate
templates.
Which tool should you use to assign permissions to Admin1?
A.
the Certification Authority console
B.
Active Directory Users and Computers
C.
the Certificates snap-in
D.
Active Directory Sites and Services
Explanation:
We need to use Active Directory Sites and Services to assign permissions to create
certificate templates to global or universal groups.
The first reference lists what needs to be done, the second reference explains how to do it.
Reference 1)
http://technet.microsoft.com/en-us/library/cc725621.aspx
Delegating Template Management
You can delegate the ability to manage individual certificate templates or to create any
certificate templates by defining appropriate permissions to global groups or universal
groups that a user belongs to.
There are three levels of delegation for certificate template administration:
Modify existing templates
Create new templates (by duplicating existing templates)
Full delegation (including modifying all existing templates and creating new ones)
Create New Templates
To delegate the ability to create certificate templates to users who are not members of the
Domain Admins group in the forest root domain, or members of the Enterprise Admins
group, it is necessary to define the appropriate permissions in the Configuration naming
context of AD DS.To delegate the ability to duplicate and create new certificate templates, you must make the
following permission assignments to a global or universal group of which the user is a
member:
Grant Create All Child Objects permission on the following container: CN=Certificate
Templates,CN=Public
Key Services,CN=Services,CN=Configuration,DC=ForestRoot.
Grant Full Control permission to every certificate template in the following container:
CN=Certificate
Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The
permissions assigned to the Certificate Templates container are not inherited by the
individual certificate templates.
Grant Create All Child Objects permission on the following container: CN=OID,CN=Public
Key Services,
CN=Services,CN=Configuration,DC=ForestRoot container.
Reference 2)
Windows Server 2008 – PKI and Certificate Security (Microsoft Press, 2008) page 298
Delegate Permissions for Creation of New Templates
You can delegate the permission to create new templates by assigning permissions to a
custom universal group for the CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,
ForestRootDomain container.
1. Log on as a member of the Enterprise Admins group or the forest root domain Domain
Admins group.
2. Open the Active Directory Sites And Services console.
3. From the View menu, ensure that the Show Services Node setting is enabled.
4. In the console tree, expand Services, expand Public Key Services, and then click
Certificate Templates.
5. In the console tree, right-click Certificate Templates, and then click Delegate Control.
6. In the Delegation Of Control wizard, click Next.
7. On the Users Or Groups page, click Add.
8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and
then click OK.
9. On the Users Or Groups page, click Next.
10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click
Next.
11.On the Active Directory Object Type page, click This Folder, Existing Objects In This
Folder, and Creation Of
New Objects In This Folder, and then click Next.
12.On the Permissions page, in the Permissions list, enable Full Control, and then click
Next.
13.On the Completing The Delegation Of Control wizard page, click Finish.