Hi, I am currently installing NDES on a fresh standalone server in a 2008 R2 PKI environment (2 tier with Offline Root and Enterprise Subordinate Issuing / Policy CA). When selecting the CA server in the NDES install process, I am getting the following error: Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344) I believe this may be related to not having Enterprise Admin privilege, which is impractical in my environment due to strict security policy. I have tried to meet all installation criteria but am still receiving the error. Could somebody please tell me what option I could enable specifically to avoid requiring an Enterprise Admin user ? As per whitepaper (Microsoft NDES 2009, By Oded Shekel & Alex Radutskiy), I have created 2 domain users: SCEP-Admin account and SCEP-Service account. I am logged onto the server as SCEP-Admin and using the User Account Scep-Service for the installation of NDES. SCEP-Admin Must be part of the local administrators group. YesFor setting up the service with an Enterprise CA, this user should have the following permissions as well. Must have Enroll permission on the Exchange Enrollment Agent (Offline request) and CEP Encryption templates. YesMust have permissions to add templates to the selected CA. Yes? (User has Allow Manage CA permission and also Issue and Manage Certificates Permission on CA)Must be a member of the Enterprise Administrator group NO. (or have permissions to modify certificate templates). Doesn't the above point satisfy this criteria ? SCEP-Service Must be a member of the local IIS_IUSRS group. YesMust have request permission on the configured CA. YesMust be a domain user account and have Read AND Enroll permissions on the configured templates. Yes (I assume the same 2 certificate templates mentioned previously?)Must have SPN set in Active Directory. Yes Could anybody tell me specifically what security measure I need to enable besides granting the user Enterprise Admin rights to complete this step ?

Sorry, you must be an Enterprise Admin to install the NDES role service - end of story Brian

Doh! Do you know if it is possible to remove the privilege once installed and not break NDES ?

Yes, you can remove membership from Enterprise Admin Group after successful installation. No risk to break NDES.

I was hoping to use these steps - Service account created and requirements performed to grant the listed rights Exchange and CEP templates have Enterprise Admins granted Read and Enroll rights Have an Enterprise Admin member log into server and perform the add NDES role using the preconfigured service account where needed during install wizard. If role addition is sucessfull, my secondary CA manager account can add new desired templates to the CA. These templates have been duplicated for my be EAs and granted Read/Write controls so I can modify as needed. Where would the actual EA rights be needed after the role is sucessfully installed? BobbyBobby