You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic
EFS certificates.
You grant the Account Operators group the Issue and Manage Certificates permission on
the CA.
Which three tasks should you perform next? (Each correct answer presents part of the
solution.
Choose three.)
A.
Enable the Restrict Enrollment Agents option on the CA.
B.
Enable the Restrict Certificate Managers option on the CA.
C.
Add the Basic EFS certificate template for the Account Operators group.
D.
Grant the Account Operators group the Manage CA permission on the CA.
E.
Remove all unnecessary certificate templates that are assigned to the Account Operators
group.
Explanation:
http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx
Role-based administration
Role explanation
Role-based administration involves CA roles, users, and groups. To assign a role to a user
or group, you must assign the role’s corresponding security permissions, group
memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distinguish
which users have which roles. The following table describes the CA roles of role-based
administration and the groups relevant to role-based administration.
Certificate Manager:
Delete multiple rows in database (bulk deletion)
Issue and approve certificates
Deny certificates
Revoke certificates
Reactivate certificates placed on hold
Renew certificates
Recover archived key
Read CA database
Read CA configuration information
…
http://technet.microsoft.com/en-us/library/cc753372.aspx
Restrict Certificate ManagersA certificate manager can approve certificate enrollment and revocation requests, issue
certificates, and manage certificates. This role can be configured by assigning a user or
group the Issue and Manage Certificatespermission.
When you assign this permission to a user or group, you can further refine their ability to
manage certificates by group and by certificate template. For example, you might want to
implement a restriction that they can only approve requests or revoke smart card logon
certificates for users in a certain office or organizational unit that is the basis for a security
group.
This restriction is based on a subset of the certificate templates enabled for the certification
authority (CA) and the user groups that have Enroll permissions for that certificate template
from that CA.
..
To configure certificate manager restrictions for a CA:
1. Open the Certification Authority snap-in, and right-click the name of the CA.
2. Click Properties, and then click the Security tab.
3. Verify that the user or group that you have selected has Issue and Manage Certificates
permission. If they do not yet have this permission, select the Allow check box, and then
click Apply.
4. Click the Certificate Managers tab.
5. Click Restrict certificate managers, and verify that the name of the group or user is
displayed.
6. Under Certificate Templates, click Add, select the template for the certificates that you
want this user or group to manage, and then click OK. Repeat this step until you have
selected all certificate templates that you want to allow this certificate manager to manage.
7. Under Permissions, click Add, type the name of the client for whom you want the
certificate manager to manage the defined certificate types, and then click OK.
8. If you want to block the certificate manager from managing certificates for a specific user,
computer, or group, under Permissions, select this user, computer, or group, and click Deny.
9. When you are finished configuring certificate manager restrictions, click OK or Apply.
