Skip to main content


Delegated Installation for an Enterprise Certification Authority with Powershell

By default, to install an Entriprise certification authority (CA), you must be a member of the Enterprise Admins group, or Domain Admins for the root domain. By running the scripts in this topic, you can delegate control to an administrator who doesn’t have these high-privilege permissions.
Use the following procedure to prepare a forest so that a low-privilege administrator can install and configure an enterprise CA.
Grant-ADPermission -GroupDistinguishedName 'CN=PKIAdmins,OU=Groups,OU=Coremans,DC=coremans,DC=internal' -AdRights GenericAll -AccessControlType Allow -Inheritance SelfAndChildren -ObjectType "AllProperties" -InheritedObjectType AllObjects -AdObjectDN 'CN=Public Key Services,CN=Services,CN=Configuration,DC=coremans,DC=internal' -Verbose
Grant-ADPermission -GroupDistinguishedName 'CN=PKIAdmins,OU=Groups,OU=Coremans,DC=coremans,D…
Recent posts

Delegate DHCP Authorization

When delegating DHCP administration to an non Enterprise Administrator, you can use the build in Active Directory group DHCP Administrators to accomplish this task, but authorization of the DHCP server require additional permissons in Active Directory:

The delegation of authorization and unauthorization of DHCP servers is two-fold.
1. Granting permission to create/delete dHCPClass objects.
2. Granting permission to change all properties of the existing dHCPClass objects.

When this is done its is really possible to delegate DHCP administration!

In the following powershell script all the tasks will be done.

Grant-ADPermission -GroupDistinguishedName 'CN=DHCP Authorization,OU=DomainLocal,OU=Groups,OU=a00,OU=01000,DC=coremans,DC=internal' -AdRights "CreateChild", "DeleteChild" -AccessControlType Allow -Inheritance None -ObjectType "Dhcpclass" -InheritedObjectType AllObjects -AdObjectDN 'CN=NetServices,CN=Services,CN=Configuration,DC=coremans,DC=int…