Some organizations require further restrictions on certificate manager activities. Rather than allow a certificate manager to issue or revoke any certificate issued by a CA, the organization might want a certificate manager to only manage a subset of all certificates.
Windows Server 2000 Certificate Services allows a CA administrator to define restrictions for certificate managers. A certificate manager restriction limits a certificate manager to only issuing or revoking a certificate whose subject has membership in a specified security group.
For example, assume that the following groups are assigned the Issue and Manage Certificates permission:
Important To define a certificate manager restriction for a specific user or group, the user or group must be explicitly defined the Issue and Manage Certificates permission in the CA's security tab. You cannot define certifi cate manager restrictions for users or groups nested within a group assigned the Issue and Manage Certificates permission.
A CA administrator could then restrict which groups, computers, or users the APACCertManagers and EMEACertManagers can manage. The APACCertManagers group can be limited to only issuing or revoking certificates issued to the members of the APACUsers and APACComputers groups. Likewise, the EMEACertManagers group can be limited to issuing and revoking certificates issued to the EMEAUsers and EMEAComputers groups.
Important If a user account has membership in both the APACUsers and EMEAUsers groups, the certificate issued to that user can be managed by certificate managers in either the APACCertManagers or EMEACertMan agers groups.
To implement certificate manager restrictions, the CA computer account must be included in the Pre-Windows 2000 Compatible Access group. Membership in this group allows the CA to determine the group memberships defined for the subject of a certificate.
Was this article helpful?