Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.
Update security permissions with an authorized user account
Confirm that the user who attempted to update security permissions has been authorized to set permissions on Active Directory Certificate Services (AD CS) objects.
If you did not intend for the user to be blocked from modifying permissions on AD CS objects, you need to:
Enable auditing on the certification authority (CA).
Grant the user the needed CA administrator and certificate manager permissions on the CA.
Complete the operation as an authorized user.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Enable auditing on a CA
To enable auditing on a CA:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click the name of the CA, and click Properties.
Click the Auditing tab, and click Change CA security settings.
Restart the CA.
Audit administrative actions on the CA for several weeks or until you are satisfied that no other attacks are likely before disabling CA auditing.
Note: To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.
Grant administrator and certificate manager permissions on the CA
To set CA administrator and certificate manager security permissions for a CA:
In the console tree, click the name of the CA.
On the Action menu, click Properties.
Click the Security tab, and specify the security permissions.
Complete the CA management operation as an authorized user.
For more information about the roles and security permissions available for a CA, see "Implement Role-Based Administration" in the Certification Authority Help (http://go.microsoft.com/fwlink/?LinkId=104188).