Your network contains an Active Directory domain named adatum.com. All servers run
Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You have a custom certificate template named Sales_Temp. Sales_Temp is published to the
CA.
You need to ensure that all of the members of a group named Sales can enroll for
certificates that use Sales_Temp.
Which snap-in should you use?
A.
Enterprise PKI
B.
Certification Authority
C.
Share and storage Management
D.
Certificate Templates
E.
Security Configuration Wizard
F.
Authorization Manager
G.
Group Policy Management
H.
Certificates
I.
Active Directory Administrative Center
Explanation:
http://technet.microsoft.com/en-us/library/cc770794.aspx
Deploying Certificate Templates
After creating a new certificate template, the next step is to deploy the certificate template so
that a certification authority (CA) can issue certificates based on it. Deployment includes
publishing the certificate template to one or more CAs, defining which security principals
have Enroll permissions for the certificate template, and deciding whether to configure
autoenrollment for the certificate template.
To define permissions to allow a specific security principal to enroll for certificates based on
a certificate template
1. Open the Certificate Templates snap-in (Certtmpl.msc).
2. In the details pane, right-click the certificate template you want to change, and then click
Properties.
3. On the Security tab, ensure that Authenticated users is assigned Read permissions. This
ensures that all authenticated users on the network can see the certificate templates.
4. On the Security tab, click Add. Add a global group or universal group that contains all
security principals requiring Enroll permissions for the certificate template, and then click OK.
5. On the Security tab, select the newly added security group, and then assign Allow for the
Read and Enroll permissions.
6. Click OK.
Permission Design
Use the following recommendations for permissions assignments:
Assign permissions only to global groups or to universal groups. It is not recommended to
assign permissions to domain local groups. Domain local groups are only recognized in the
domain where they exist, and assigning permissions to them can result in inconsistent
application of permissions. You should not assign permissions directly to an individual user
or computer account. (…)