Hey everyone, I moved my root CA today from a W2k3 EE node to a W2k8 R2 node. All appears working because I can enroll from the intranet site and I can request certs from the CERTMGR.msc GUI, but requesting certificates leaves a warning with EventID80 in the App logs. Now, on the client machine, I can request EFS, User, or Machine certs...and they all state they're OK after they're delivered. I know they state to allow Cert Publishers RW rights on the container: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/f3e15f65-8752-4e94-91c7-64207247eb51/ But in step #3, I don't see Domain Computers in my list...under Public Key Services, all I see is (AIA, CDP, Certifcate Templates, Certificate Authorties, Enrollment Services, KRA, OID). So I added Cert Publishers to all the nodes in there, but that didn't help. What am I doing wrong??? Below is the error. Active Directory Certificate Services could not publish a Certificate for request 12 to the following location on server dc.mydomain.local: CN=Michael J Fox,OU=TechDepartment,OU=Users,OU=Baltimore,OU=Locations,DC=mydomain,DC=local. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344).ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

On Fri, 6 May 2011 19:20:35 +0000, inverted_2000a wrote: I know they state to allow Cert Publishers RW rights on the container: ?http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/f3e15f65-8752-4e94-91c7-64207247eb51/ ?But in step #3, I don't see Domain Computers in my list...under Public Key Services, all I see is (AIA, CDP, Certifcate Templates, Certificate Authorties, Enrollment Services, KRA, OID). ?So I added Cert Publishers to all the nodes in there, but that didn't help. The Technet article is messed up. Domain Computers and Domain Users are referring to Active Directory groups so you need to do this in Active Directory Users and Computers. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Bipolar: Refers to someone who has homes in Gnome, Alaska and Buffalo, New York.

That's nice...I wonder how many other articles I read and depend on are incorrect too :o) Thanks a lot, that did the trick!!!