In this blog post, I’ll show you how to give users permission to manage Enterprise CA without giving them Domain Admins right.
One of the good things about Windows Server 2016 CA Is that It comes with the ability to assign management permissions to non-Domain Admin Users.
About Certificate Authority
A Windows Enterprise CA Server Is Domain Joined Server that Issues trusted digital Certificates to clients and Servers on the network.
Once the Enterprise CA Issues a certificate, the Web Server becomes trusted by all the computers on the Domain automatically.
The most common use of certificates is for Web Servers and Web Services that are using HTTPS.
In my case, I’ll give the user David Azure permissions to manage the CA and Issue certificates to computers and users.
To assign permissions, I’m using the CA management console -> Right Click -> Properties -> Security Tab
From the security tab, we can see all the available permissions that we can assign users, In my case, I’ll click on Add and find David In AD
I’ll click OK
And from the Permissions panel, I’ll tick the boxes:
- Issue and Manage Certificates
- Manage CA
My recommendation is to use the CA permissions option If you need to give non-admin users permissions to manage the CA.
When it comes to adding users to the Domain Admins group I always recommend giving it to full time Administrators and Engineers.