Skip to main content

Delegated Installation for an Enterprise Certification Authority with Powershell

By default, to install an Entriprise certification authority (CA), you must be a member of the Enterprise Admins group, or Domain Admins for the root domain. By running the scripts in this topic, you can delegate control to an administrator who doesn’t have these high-privilege permissions.

Use the following procedure to prepare a forest so that a low-privilege administrator can install and configure an enterprise CA.


Grant-ADPermission -GroupDistinguishedName 'CN=PKIAdmins,OU=Groups,OU=Coremans,DC=coremans,DC=internal' -AdRights GenericAll -AccessControlType Allow -Inheritance SelfAndChildren -ObjectType "AllProperties" -InheritedObjectType AllObjects -AdObjectDN 'CN=Public Key Services,CN=Services,CN=Configuration,DC=coremans,DC=internal' -Verbose
 
Grant-ADPermission -GroupDistinguishedName 'CN=PKIAdmins,OU=Groups,OU=Coremans,DC=coremans,DC=internal' -AdRights WriteProperty -AccessControlType Allow -Inheritance SelfAndChildren -ObjectType "member" -InheritedObjectType Group -AdObjectDN 'CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=coremans,DC=internal' -Verbose 

Grant-ADPermission -GroupDistinguishedName 'CN=PKIAdmins,OU=Groups,OU=Coremans,DC=coremans,DC=internal' -AdRights WriteProperty -AccessControlType Allow -Inheritance SelfAndChildren -ObjectType "member" -InheritedObjectType Group -AdObjectDN 'CN=Cert Publishers,CN=Users,DC=coremans,DC=internal' -Verbose

An administrator who is not a member of the Enterprise Admins group or Domain Admins group but who is a member of the group that you created can now install and configure an enterprise CA.

Comments

Popular posts from this blog

Delegate DHCP Authorization

When delegating DHCP administration to an non Enterprise Administrator, you can use the build in Active Directory group DHCP Administrators to accomplish this task, but authorization of the DHCP server require additional permissons in Active Directory:

The delegation of authorization and unauthorization of DHCP servers is two-fold.
1. Granting permission to create/delete dHCPClass objects.
2. Granting permission to change all properties of the existing dHCPClass objects.

When this is done its is really possible to delegate DHCP administration!

In the following powershell script all the tasks will be done.

Grant-ADPermission -GroupDistinguishedName 'CN=DHCP Authorization,OU=DomainLocal,OU=Groups,OU=a00,OU=01000,DC=coremans,DC=internal' -AdRights "CreateChild", "DeleteChild" -AccessControlType Allow -Inheritance None -ObjectType "Dhcpclass" -InheritedObjectType AllObjects -AdObjectDN 'CN=NetServices,CN=Services,CN=Configuration,DC=coremans,DC=int…