1
00:00:07,670 --> 00:00:15,920
To configure a certificate template permissions unit to define the decal on the security tab for each

2
00:00:15,920 --> 00:00:17,900
cert template.

3
00:00:18,020 --> 00:00:26,910
The permissions assigned to a certificate template will define which users or groups can read or modify

4
00:00:27,200 --> 00:00:34,960
certificate template and who can roll or use auto enrolment for the certificate.

5
00:00:34,970 --> 00:00:42,320
Based on that certificate template you can assign the following permissions to certificate template

6
00:00:42,890 --> 00:00:45,460
you can a full control.

7
00:00:45,740 --> 00:00:54,260
The full control permission allows a security principal to modify all attributes of a certificate template

8
00:00:54,800 --> 00:00:59,570
which includes permissions for the certificate template itself.

9
00:00:59,570 --> 00:01:08,620
It also includes permission to modify the security descriptor of the certificate template their next

10
00:01:08,620 --> 00:01:09,890
permission is read.

11
00:01:09,890 --> 00:01:18,160
Permission the route permission allows a user or computer to view the certificate template when in a

12
00:01:18,160 --> 00:01:20,190
four certificates.

13
00:01:20,190 --> 00:01:29,780
This certificate server requires a read permission to find certificate templates in a deed is and other

14
00:01:29,780 --> 00:01:31,940
permission is the right permission.

15
00:01:31,940 --> 00:01:38,750
The right permission allows a user or computer to modify the attributes of a certificate template.

16
00:01:39,550 --> 00:01:48,510
In Road permission allows a user to or computer to enroll for a certificate based on the computer or

17
00:01:48,510 --> 00:01:49,530
template.

18
00:01:49,650 --> 00:01:57,000
However to enroll for a certificate you also must have read permissions for the certificate template

19
00:01:57,780 --> 00:02:06,260
and the last permission is auto enroll the auto enroll permission allows the user or computer to retrieve

20
00:02:06,260 --> 00:02:10,320
it certificate through the auto enrolment process.

21
00:02:10,320 --> 00:02:20,150
However the author and rule permission also requires the user or computer to have both read and enrolled

22
00:02:20,220 --> 00:02:22,980
permissions for a certificate template.

23
00:02:24,210 --> 00:02:34,840
As best practice you should assign certificate template permissions to global or universal groups only.

24
00:02:34,980 --> 00:02:42,130
This is because the certificate template objects are stored in the configuration name and context in

25
00:02:42,130 --> 00:02:50,190
aid it is a way to sign and certificate template permissions to individual users or computer accounts

26
00:02:51,080 --> 00:02:53,220
as the as a best practice.

27
00:02:53,250 --> 00:03:02,490
Keep the read permission or a key allocated to the authenticator to users group route permissions enable

28
00:03:02,520 --> 00:03:08,390
all users and computers to use a certificate templates in eight years.

29
00:03:08,460 --> 00:03:19,710
This permission assignment also enables the C which runs under the system context over computer account

30
00:03:20,130 --> 00:03:22,490
to view the certificate templates.

31
00:03:22,500 --> 00:03:31,990
When assigning certificates this permission however does not grant in rural rights which helps ensure

32
00:03:32,080 --> 00:03:35,740
the safety of this configuration.

33
00:03:35,740 --> 00:03:40,340
Next up will be talking about configuring certificate templates Saturns.

34
00:03:40,420 --> 00:03:41,280
I'll see you there.