Hello, everybody.
Currently I'm struggling to implement something according to this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following permission entries for restricted enrollment agents:
DOMAIN\Domain Users - Allow
BUILTIN\Administrators - Deny
And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.
The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.
Thanks in advance.
Currently I'm struggling to implement something according to this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following permission entries for restricted enrollment agents:
DOMAIN\Domain Users - Allow
BUILTIN\Administrators - Deny
And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.
The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.
Thanks in advance.