Re: PKI / Delegating Certificate Template Management
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/30/04
- Next message: Charles A. Lackman: "FTP Site"
- Previous message: Ken Schaefer: "Re: What is a local logon?"
- In reply to: Christoph Buchser: "PKI / Delegating Certificate Template Management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 05:41:35 -0800
are you trying to change the ownership of the default templates that are
installed in AD?
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Christoph Buchser" <ch.buchser@gmx.ch> wrote in message news:5791a602.0403292321.7a72eafc@posting.google.com... > Hi all > > Initial situation: > Microsoft PKI with a standalone, offline CA and a subordinated > enterprise ca with windows enterprise server 2003. Active Directory > with a root domain and several subdomains. > For administering the SubCA we established a user "CA-administrator" > as a normal domain user in the active directory root domain. He has no > domain administration rights granted but only local admin rights on > the subca. > > Delegating Certificate Template Management: > For convenience by managing the certificate templates without domain > administrator rights, we've read the technet-document "Implementing > and Administering Certificate Templates in Windows Server 2003" > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/ws03crtm.asp > We went for it step by step as described under "Delegating Template > Management". > > Problem: > Now as we tested with the ca-adminstrators account by working on a > template by using the certificate templates-mmc, a warning was > popped-up: "Windows cannot save changes to the certificate template. > This security ID may not be assigned as the owner of this object." We > couldn't save the changed settings. > > So we changed the owner ot the template to this espescially created > universal group. The same warning appeared! But the owner was this > espescially created universal group with the ca-administrator as a > member of it! > > We experimented and joined the ca-administrator also to the > domain-administrators group and then it worked fine. But this is not > what we are looking for. > > Question: > What does this have to do with the security id of the ca-administrator > in spite he is a member of the owner-group of this object? > Why does it not work with the group as the owner? > What is the problem? > > Thanks to all who have some ideas! > > Christoph Buchser, Switzerland
- Next message: Charles A. Lackman: "FTP Site"
- Previous message: Ken Schaefer: "Re: What is a local logon?"
- In reply to: Christoph Buchser: "PKI / Delegating Certificate Template Management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
