A local Administrator can perform the following tasks at a Windows Server 2003 CA:
■ All CA administrator tasks. By default, the local Administrator account is assigned the Manage CA permission.
■ All certificate manager tasks. By default, the local Administrator account is assigned the Issue and Manage Certificates permission.
■ Enable or disable Common Criteria role separation. Members of the local Administrators group have the required permissions to make the necessary registry modifications to enable or disable Common Criteria role separation.
■ Install Certificate Services. To install Certificate Services, the installer must be a member of the local Administrators group.
■ Renew a CA certificate. To renew a CA certificate, the user must have access to the local machine's certificate store. By default, only members of the local Administrators group have the necessary access.
Was this article helpful?