Identity with Windows Server 2016 — Question 11

You have an enterprise certification authority (CA).
You create a global security group named Group1.
You need to provide members of Group1 with the ability to issue and manage certificates.
The solution must prevent the Group1 members from managing certificates requested by members of the Domain Admins group.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Answer options

• A. From the CA properties, modify the Policy Module settings.
• B. From the Certificate Templates console, modify the Security settings of the Administrator certificate template.
• C. From the CA properties, modify the Security settings.
• D. From the CA properties, modify the Enrollment Agents settings.
• E. From the CA properties, modify the Certificate Managers settings.
• F. From the Certificate Templates console, modify the Security settings of the User certificate template.

Correct answer: C, E

Explanation

The correct answers are C and E because modifying the Security settings in the CA properties allows you to control the permissions for Group1 members, while updating the Certificate Managers settings ensures that they can manage certificates without affecting those requested by Domain Admins. The other options do not specifically address the required permissions for Group1 or involve templates that are not relevant to the scenario.