Modifying Membership in Cert Publishers

The Cert Publishers group is assigned permission to read and write certificate information to the userCertificate attribute of user objects. Certificates published to these attributes are typically encryption certificates, allowing anyone to obtain the public key of a target's encryption certificate by querying Active Directory.

By default, the Cert Publishers group from a specific domain is allowed to read and write to the userCertificate attribute for objects in the same domain, which is fine if you have a single-domain forest. If your forest consists of two or more domains, however, you must modify permissions to allow each domain's Cert Publishers group read and write permissions to the userCertificate attribute.

Note If an enterprise CA does not have sufficient permissions to write a certificate to the userCertificate attribute, the following entry will appear in the application log: Event ID: 11

Source: Cert Server Enterprise Policy

Application: Warning CA was unable to publish the certificate for the Domain\server. Server is not part of the Cert Publishers group. Privilege violation.

The Cert Publishers group exists in the CN=Users, DomainName container (where DomainName is the LDAP distinguished name of the domain) in each domain in a Windows 2000 forest. In a Windows 2000 domain, the scope of the Cert

Publishers group is a global group. This means that only user accounts, computer accounts, and global groups from the same domain can have membership in the Cert Publishers group.

To modify permissions to allow enterprise CAs from other domains to publish information to the userCertificate attribute, use the following strategy:

■ Assign each domain's Cert Publishers group the Read userCertificate permission in every domain in the forest.

■ Assign each domain's Cert Publishers group the Write userCertificate permission in every domain in the forest.

■ Assign each domain's Cert Publishers group the Read userCertificate permission at the CN=adminsdholder,CN=system,DomainName container in every domain in the forest.

■ Assign each domain's Cert Publishers group the Write userCertificate permission at the CN=adminsdholder,CN=system,DomainName container in every domain in the forest.

You can script these permission assignments by using the DSACLS.exe command from Windows Support Tools.

For the next example, assume that the domain configuration shown in Figure 4-3 is implemented.

Figure 4-3 A sample domain configuration

In this example, an enterprise CA exists in each domain in the forest: exam-ple.com, east.example.com, and west.example.com. You must add permissions for each domain's Cert Publishers group. The following script accomplishes these permission assignments:

:: Assign permissions to the example.com domain dsacls "dc=example,dc=com" /I:S /G "East\Cert Publishers":RP;userCertificate,user dsacls "dc=example,dc=com" /I:S /G "East\Cert Publishers":WP;userCertificate,user dsacls "dc=example,dc=com" /I:S /G "West\Cert Publishers":RP;userCertificate,user dsacls "dc=example,dc=com" /I:S /G "West\Cert Publishers":WP;userCertificate,user

:: Assign permissions to the east.example.com domain dsacls "dc=east,dc=example,dc=com" /I:S /G "Example\Cert Publishers":RP;userCertificate,user dsacls "dc=east,dc=example,dc=com" /I:S /G "Example\Cert Publishers":WP;userCertificate,user dsacls "dc=east,dc=example,dc=com" /I:S /G "West\Cert Publishers":RP;userCertificate,user dsacls "dc=east,dc=example,dc=com" /I:S /G "West\Cert Publishers":WP;userCertificate,user

:: Assign permissions to the west.example.com domain dsacls "dc=west,dc=example,dc=com" /I:S /G "Example\Cert Publishers":RP;userCertificate,user dsacls "dc=west,dc=example,dc=com" /I:S /G "Example\Cert Publishers":WP;userCertificate,user dsacls "dc=west,dc=example,dc=com" /I:S /G "East\Cert Publishers":RP;userCertificate,user dsacls "dc=west,dc=example,dc=com" /I:S /G "East\Cert Publishers":WP;userCertificate,user

:: Assign permissions to the Adminsdholder container in example.com dsacls " cn=adminsdholder,cn=system,dc=example,dc=com" /G

"East\Cert Publishers":RP;userCertificate dsacls " cn=adminsdholder,cn=system,dc=example,dc=com" /G

"East\Cert Publishers":WP;userCertificate dsacls " cn=adminsdholder,cn=system,dc=example,dc=com" /G

"West\Cert Publishers":RP;userCertificate dsacls " cn=adminsdholder,cn=system,dc=example,dc=com" /G

"West\Cert Publishers":WP;userCertificate

:: Assign permissions to the Adminsdholder container in east.example.com dsacls " cn=adminsdholder,cn=system,dc=east,dc=example,dc=com" /G "Example\Cert Publishers":RP;userCertificate dsacls " cn=adminsdholder,cn=system,dc=east,dc=example,dc=com" /G "Example\Cert Publishers":WP;userCertificate dsacls " cn=adminsdholder,cn=system, dc=east,dc=example,dc=com" /G "West\Cert Publishers":RP;userCertificate dsacls " cn=adminsdholder,cn=system, dc=east,dc=example,dc=com" /G "West\Cert Publishers":WP;userCertificate

:: Assign permissions to the Adminsdholder container in west.example.com dsacls " cn=adminsdholder,cn=system,dc=west,dc=example,dc=com" /G "Example\Cert Publishers":RP;userCertificate dsacls " cn=adminsdholder,cn=system,dc=west,dc=example,dc=com" /G "Example\Cert Publishers":WP;userCertificate dsacls " cn=adminsdholder,cn=system, dc=west,dc=example,dc=com" /G "East\Cert Publishers":RP;userCertificate dsacls " cn=adminsdholder,cn=system, dc=west,dc=example,dc=com" /G "East\Cert Publishers":WP;userCertificate

Was this article helpful?

0 -1

Responses

  • Longo
    What is cert publisher in active directory (win 2003)?
    9 years ago
  • columbus
    How we get the Certificate Publishers group.?
    9 years ago
  • Eemil
    What to write on a certificate of membership?
    9 years ago
  • Diana
    What is the group "Cert publishers"?
    4 years ago
  • violet
    How to assign write user certificate permission to cert publisher group?
    3 years ago
  • bruno
    What permissions should the cert publishers group have on active directory user objects?
    2 years ago
  • nasih
    Where is publisher display name in cert?
    1 year ago
  • caleb
    What is cert publisher groups used for?
    1 year ago

Post a comment