Your network contains an Active Directory domain. The domain contains an enterprise certification authority
(CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which tool should you use to assign permissions to Admin1?

A.
the Certification Authority console

B.
Active Directory Users and Computers

C.
the Certificates snap-in

D.
Active Directory Sites and Services

Explanation:
We need to use Active Directory Sites and Services to assign permissions to create certificate templates to
global or universal groups.
The first reference lists what needs to be done, the second reference explains how to do it.
Reference 1:
http://technet.microsoft.com/en-us/library/cc725621.aspx
Delegating Template Management
You can delegate the ability to manage individual certificate templates or to create any certificate templates by
defining appropriate permissions to global groups or universal groups that a user belongs to.
There are three levels of delegation for certificate template administration:
– Modify existing templates
– Create new templates (by duplicating existing templates)
– Full delegation (including modifying all existing templates and creating new ones)
Create New Templates
To delegate the ability to create certificate templates to users who are not members of the Domain Admins
group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the
appropriate permissions in the Configuration namingcontext of AD DS.
To delegate the ability to duplicate and create newcertificate templates, you must make the following
permission assignments to a global or universal group of which the user is a member:
Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public
Key Services,CN=Services,CN=Configuration,DC=ForestRoot.
Grant Full Control permission to every certificate template in the following container: CN=Certificate
Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions
assigned to the Certificate Templates container arenot inherited by the individual certificate templates.
Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,
CN=Services,CN=Configuration,DC=ForestRoot container.
Reference 2:
Windows Server 2008 – PKI and Certificate Security (Microsoft Press, 2008)
page 298
Delegate Permissions for Creation of New Templates
You can delegate the permission to create new templates by assigning permissions to a custom universal
group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,
ForestRootDomaincontainer.
1. Log on as a member of the Enterprise Admins groupor the forest root domain Domain Admins group.
2. Open theActive Directory Sites And Servicesconsole.
3. From the View menu, ensure that the Show ServicesNode setting is enabled.
4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.
5. In the console tree, right-click Certificate Templates, and then click Delegate Control.
6. In the Delegation Of Control wizard, click Next.
7. On the Users Or Groups page, click Add.
8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.
9. On the Users Or Groups page, click Next.
10. On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.
11. On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation
Of New Objects In This Folder, and then click Next.
12. On the Permissions page, in the Permissions list, enable Full Control, and then click Next.
13. On the Completing The Delegation Of Control wizard page, click Finish.