Hello. I have one server this AD CS in my AD environment. Can I make delegation to user to manage certificates users in OU?

Hi, If you want to enable some users to request certificate on behalf of others, you can grant permission to these users to become an enrollment agent. A user becomes an enrollment agent by enrolling for an Enrollment Agent certificate. Important: Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies over who has one. Membership in the Users group and an Enrollment Agent certificate are the minimum requirements to complete this procedure. To enroll for a certificate on behalf of other users 1. Open the Certificates snap-in for a user. 2. Confirm that you are in Logical Stores View. 3. In the console tree, expand the Personal store, and then click Certificates. 4. On the Action menu, point to All Tasks, select Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment Wizard. Click Next. 5. Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click Next. 6. Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click Enroll. 7. After the Certificate Renewal Wizard has successfully finished, click Close. Meanwhile, we need to define the "Issuance Requirements" for the corresponding certificate template to meet this requirement. The correct settings are as follows: 1. Open Certificate Templates snap-in and double-click the duplicated template. 2. Click on the Issuance Requirements tab, and ensure to check the option "This number of authorized signatures" to tell the CA how many agent's signature are required to request the certificate. In our situation, we need only one signature. Therefore, please make sure the Option is set to 1. 3. At the same time, we need to select "Certificate Request Agent" in the dropdown list of "Application policy", which is corresponding to a "Certificate Enrollment Agent" certificate. Web enrollment in Windows Server 2008 no longer supports Enroll on behalf function. 922706 How to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008 http://support.microsoft.com/default.aspx?scid=kb;EN-US;922706