Home » Microsoft » 70-640 » Which snap-in should you use?
Your network contains an Active Directory domain named adatum.com.
All servers run Windows Server 2008 R2 Enterprise.
All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You have a custom certificate template named Sales_Temp.
Sales_Temp is published to the CA.
You need to ensure that all of the members of a group named Sales can enroll for certificates that use Sales_Temp.
Which snap-in should you use?
A. Enterprise PKI
B. Certification Authority
C. Share and storage Management
D. Certificate Templates
E. Security Configuration Wizard
F. Authorization Manager
G. Group Policy Management
H. Certificates
I. Active Directory Administrative Center
Correct Answer: D
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/cc770794.aspx
Deploying Certificate Templates
After creating a new certificate template, the next step is to deploy the certificate template so that a certification authority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to one or more CAs, defining which security principals have Enroll permissions for the certificate template, and deciding whether to configure autoenrollment for the certificate template.
To define permissions to allow a specific security principal to enroll for certificates based on a certificate template
1. Open the Certificate Templates snap-in (Certtmpl.msc).
2. In the details pane, right-click the certificate template you want to change, and then click Properties.
3. On the Security tab, ensure that Authenticated users is assigned Read permissions. This ensures that all authenticated users on the network can see the certificate templates.
4. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK.
5. On the Security tab, select the newly added security group, and then assign Allow for the Read and Enroll permissions.
6. Click OK.
Permission Design
Use the following recommendations for permissions assignments:
Assign permissions only to global groups or to universal groups. It is not recommended to assign permissions to domain local groups. Domain local groups are only recognized in the domain where they exist, and assigning permissions to them can result in inconsistent application of permissions. You should not assign permissions directly to an individual user or computer account.
(…)